Trojanized PyPI package mimics a popular Python server library

Sonatype again came across a malicious Python package called ‘aiohttp-socks5– this time mimicking a massively popular middleware library. But instead, this package drops a Remote Access Trojan (RAT) that completely compromises your system.

The legitimate AIOHTTP library is a popular asynchronous HTTP client/server for the asynchronous Python-based library and applications. The component receives more 9 million average weekly downloads.

AIOHTTP powers famous sites to like yandex, Skyscanner, Agricultural Business Networkamong others, and was used to build commonly used libraries, which is why threat actors would take advantage of the opportunity to ship counterfeit versions of AIOHTTP.

For developers looking to make AIOHTTP work with SOCKS4/SOCKS5 proxies, AIOHTTP maintainers recommend using the aiohttp socks making up.

But this week, Sonatype’s automated malware detection systems came across a counterfeit component named aiohttp-socks5, claiming to be a “proxy connector for aiohttp”, which is far from the case. In place, aiohttp-socks5 East spyware primarily targeting 64-bit Windows userswith some versions of the component able to also work under Linux, termuxand macOS systems.

Sources indicate that “aiohttp-socks5” has been recovered more than 2,200 times since its release, both as user-initiated downloads and through automated mirrors.

The ‘aiohttp-socks5’ malware had 11 versions when discovered, with different versions performing varying levels of malicious activity.

The first release of ‘aiohttp-socks5’ (0.7.1) seems largely benign, borrowing skeleton code from the legitimate aiohttp-socks package. But the following versions are spyware filled with malicious Trojans.

Fake ‘metadata’ field contains malicious EXE files

Starting with ‘aiohttp-socks5’ version 0.8.1, we see the manifest file containing a sneaky ‘metadata’ field near the end:

This so-called “metadata” variable contains a long string value that spans hundreds of lines. Essentially the “metadata” field is just a ploy (Read more…)

Source link