During the initial weeks of August, the ReversingLabs research team uncovered a malicious supply chain operation, code-named "VMConnect." This nefarious campaign involved the distribution of approximately twenty-four malevolent Python packages through the Python Package Index (PyPI), a widely used open-source repository for Python software.
These deceptive packages were cleverly designed to mimic well-known open-source Python utilities, including vConnector (a wrapper module for pyVmomi VMware vSphere bindings), eth-tester (a toolkit for testing Ethereum-based applications), and databases (a tool offering asynchronous support for various database systems).
In their investigation, the researchers noticed that the perpetrators of this campaign have gone to great lengths to create an aura of authenticity around their actions.
They take the time to establish GitHub repositories, complete with descriptions that appear entirely legitimate, and even incorporate authentic source code.
In their latest findings, the team has identified several new packages, each with its own download statistics. Notably, these include 'tablediter,' which has garnered 736 downloads, 'request-plus' with 43 downloads, and 'requestspro' boasting 341 downloads.
Among these recently uncovered packages, the first one appears to camouflage itself as a tool for table editing. Meanwhile, the other two pose as legitimate versions of the widely-used 'requests' Python library, typically utilized for making HTTP requests.
ReversingLabs could not definitively identify the source of the campaign, but some analysts were more confident, attributing the malware to Labyrinth Chollima, a subgroup within the notorious Lazarus Group, a North Korean state-sponsored threat entity.
Additionally, JPCERT/CC, a respected cybersecurity organization, connected the attack to another Lazarus Group subsidiary known as DangerousPassword.
Considering these attributions and the striking code similarities observed between the packages discovered in the VMConnect campaign and those described in JPCERT/CC's research, it strongly implies that the same threat actor is responsible for both attacks.
What is A supply chain attack?
A supply chain attack is a cyber assault strategy that depends on an organization's vulnerabilities within its supply chain. The supply chain represents the intricate network of individuals, companies, resources, processes, and technologies involved in creating and distributing a product. This chain encompasses everything from raw material shipment from suppliers to manufacturers, right up to the product's delivery to end-users.
In targeting a weak link within this supply chain, cyber attackers increase their chances of success, capitalizing on the trust organizations often place in their third-party vendors. These attacks are a subset of island hopping attacks, where threat actors leverage trusted connections to infiltrate their primary targets.