Supply Chain Attacks on the risk - Open Source Security
Supply Chain Attack Background — WASP Attack on Python — Polymorphic Malware Shipping WASP Stealer; Infecting Hundreds Of Victims
TL;DR
Research analysis of pywale package linked with a malicious activity (WASP group). The WASP ground approach to impersonate well known package requests from python aka StarJacking technique. A suspicious file models.py which contained base64 encoded stage1 payload that fetches stage2 payload which is highly obfuscated and performs malicious actions.
Supply chain security in the open source ecosystem has become a large point of focus for the broader open source community — including the many companies and governments that rely on open source software.
As an industry and community, bad actors take over user accounts, corrupt popular open source dependencies, and take advantage of vulnerabilities in some of the biggest open source projects.
It’s no secret that a lot of our modern digital infrastructure runs on open source. The success of open source software (OSS), in part, comes down to the speed at which it’s developed by a global community of developers. But this speed can come at a cost if developers inherit the vulnerabilities in their supply chain.
Observations:
The package is performing starjacking. Its impersonating the famous requests library. The package is pointing to the famous python library i.e., requests to look legitimate.
https://github.com/psf/requests/stargazers
https://requests.readthedocs.io/en/latest/
Analysis brief:
The package is mentioning a list of requirements that could be downloaded from ‘https://github.com/psf/requests’ source.
Supply chain security in the open source ecosystem has become a large point of focus for the broader open source community — including the many companies and governments that rely on open source software.
As an industry and community, bad actors take over user accounts, corrupt popular open source dependencies, and take advantage of vulnerabilities in some of the biggest open source projects.
It’s no secret that a lot of our modern digital infrastructure runs on open source. The success of open source software (OSS), in part, comes down to the speed at which it’s developed by a global community of developers. But this speed can come at a cost if developers inherit the vulnerabilities in their supply chain.
Observations:
The package is performing starjacking. Its impersonating the famous requests library. The package is pointing to the famous python library i.e., requests to look legitimate.
https://github.com/psf/requests/stargazers
https://requests.readthedocs.io/en/latest/
Analysis:
The package is mentioning a list of requirements that could be downloaded from ‘https://github.com/psf/requests’ source.
While going through the code it can be observed a suspicious file ‘models.py’ has a base64 encoded code string found at line number 8, the same can be in referred in exhibit 1.2.
After decoding the encoded code, we observe that the code is fetching some payload from http://51.103.210.236/inject/8HA7LjxopFuz52AI
After looking for IP reputation it was noted that none of them reported it malicious. The same can be noted in Exhibit 1.4 and 1.5.
After navigating on the IP below message was observed.
Going ahead with the base64 decoded code, we further navigated to the mentioned URL from where the payload which is fetched. It appears obfuscated code has been hosted.
Beautifying the python code. It looks like further HEX obfuscation is used in multiple parts of payload. To conclude what exactly the code is trying to do we are required to decode the HEX encoded code.
At this point we were able to notice a test.js file was created and the same was executed but note sure what exactly its trying to do.
Later it was noted that the package was associated with threat actors ‘WASP’ aka WASP Stealer disclosed by Checkmarkx & Checkpoint research team. Shout-out to Checkmarx for starting such a great area to research. Do check out the blog published by Checkmarx security research team WASP Attack on Python — Polymorphic Malware Shipping WASP Stealer; Infecting Hundreds Of Victims
Another researcher have also shared a similar analysis of the same, do watch this YouTube video.
