Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms

July 8, 2024, 10:56 a.m.

Description

The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components involved, providing insights into the group's tactics and capabilities spanning various operating systems. The report also attributes the activity to the Lazarus group based on evidence linking it to their previous attack patterns and infrastructure.

External References

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247499462&idx=1&sn=7cc55f3cc2740e8818648efbec21615f&chksm=f9c1cdcfceb644d9a6f169ca81188a0e3ab4a9799437f6c57b71ede3ac6aab6d121dd023d42a&scene=178&cur_album_id=1955835290309230595
https://otx.alienvault.com/pulse/668bc4877a1f909fc99a829d
Tags
malware
apt
supply chain
lazarus
2024-07-08
pypi
comebacker
cross-platform

Date

  • Created: July 8, 2024, 10:50 a.m.
  • Published: July 8, 2024, 10:50 a.m.
  • Modified: July 8, 2024, 10:56 a.m.

Indicators

  • e9d478dca6ce1b642abfdb94af21f0d567594479a14d3780e148400649591fcf
  • b4c8c149005a43ae043038d4d62631dc1a0f57514c7cbf4f7726add7ec67981a
  • 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
  • 2c8f00824ca2b4ddb4e2e910ee042ba46a570984d1bc094f0014655d883b8519
  • 1a9cea5e43cfe6377b20f09becf8547deba702718d1ee220ef677f53f30e820d
  • 17d3593519f6a016879093bfb7cc63070646951191e28c1dfad52942099f59cc
  • 70c5b64589277ace59db86d19d846a9236214b48aacabbaf880f2b6355ab5260
  • c56c94e21913b2df4be293001da84c3bb20badf823ccf5b6a396f5f49df5efff
  • b4a04b450bb7cae5ea578e79ae9d0f203711c18c3f3a6de9900d2bdfaa4e7f67
  • 956d2ed558e3c6e447e3d4424d6b14e81f74b63762238e84069f9a7610aa2531
  • 8fb6d8a5013bd3a36c605031e86fd1f6bb7c3fdba722e58ee2f4769a820b86b0
  • 6bba8f488c23a0e0f753ac21cd83ddeac5c4d14b70d4426d7cdeebdf813a1094
  • 3ab6e6fc888e4df602eff1c5bc24f3e976215d1e4a58f963834e5b225a3821f5
  • 60c080a29f58cf861f5e7c7fc5e5bddc7e63dd1db0badc06729d91f65957e9ce
  • 26437bc68133c2ca09bb56bc011dd1b713f8ee40a2acc2488b102dd037641c6e
  • 173e6bc33efc7a03da06bf5f8686a89bbed54b6fc8a4263035b7950ed3886179
  • 01c5836655c6a4212676c78ec96c0ac6b778a411e61a2da1f545eba8f784e980
  • 91.206.178.125
  • http://91.206.178.125:80
  • http://91.206.178.125/upload/upload.asp
  • blog.phylum.io
  • pypi.online
  • jdkgradle.com
  • arcashop.org
  • angeldonationblog.com
  • fasttet.com
  • chaingrown.com
  • blockchain-newtech.com
Download all indicators here!

Attack Patterns

  • Comebacker
  • APT-C-26 (Lazarus)