Back

Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms

July 8, 2024, 10:56 a.m.

Tags

malware
apt
supply chain
lazarus
2024-07-08
pypi
comebacker
cross-platform

External References

https://mp.weixin.qq.com/

https://otx.alienvault.com/

Description

The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components involved, providing insights into the group's tactics and capabilities spanning various operating systems. The report also attributes the activity to the Lazarus group based on evidence linking it to their previous attack patterns and infrastructure.

Date

Published Created Modified
July 8, 2024, 10:50 a.m. July 8, 2024, 10:50 a.m. July 8, 2024, 10:56 a.m.

Indicators

e9d478dca6ce1b642abfdb94af21f0d567594479a14d3780e148400649591fcf

b4c8c149005a43ae043038d4d62631dc1a0f57514c7cbf4f7726add7ec67981a

973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c

2c8f00824ca2b4ddb4e2e910ee042ba46a570984d1bc094f0014655d883b8519

1a9cea5e43cfe6377b20f09becf8547deba702718d1ee220ef677f53f30e820d

17d3593519f6a016879093bfb7cc63070646951191e28c1dfad52942099f59cc

70c5b64589277ace59db86d19d846a9236214b48aacabbaf880f2b6355ab5260

c56c94e21913b2df4be293001da84c3bb20badf823ccf5b6a396f5f49df5efff

b4a04b450bb7cae5ea578e79ae9d0f203711c18c3f3a6de9900d2bdfaa4e7f67

956d2ed558e3c6e447e3d4424d6b14e81f74b63762238e84069f9a7610aa2531

8fb6d8a5013bd3a36c605031e86fd1f6bb7c3fdba722e58ee2f4769a820b86b0

6bba8f488c23a0e0f753ac21cd83ddeac5c4d14b70d4426d7cdeebdf813a1094

3ab6e6fc888e4df602eff1c5bc24f3e976215d1e4a58f963834e5b225a3821f5

60c080a29f58cf861f5e7c7fc5e5bddc7e63dd1db0badc06729d91f65957e9ce

26437bc68133c2ca09bb56bc011dd1b713f8ee40a2acc2488b102dd037641c6e

173e6bc33efc7a03da06bf5f8686a89bbed54b6fc8a4263035b7950ed3886179

01c5836655c6a4212676c78ec96c0ac6b778a411e61a2da1f545eba8f784e980

91.206.178.125

http://91.206.178.125:80

http://91.206.178.125/upload/upload.asp

Attack Patterns

Comebacker

APT-C-26 (Lazarus)

T1099

T1064

T1497

T1021

T1070

T1057

T1105

T1195

T1090

T1059