This Week in Malware — Malicious 'Distutil' and Spring4Shell active exploitation

April 22, 2022 By Ax Sharma

7 minute read time

This week in malware we have a lot to go over. A mysterious 'Distutil' Python library found on the PyPI repository, active Spring4Shell exploitation by threat actors deploying crypto-miners, ProxyShell exploits targeting Microsoft Exchange servers, an open source utility claiming to add Google Play store to PCs but containing obfuscated malware, ongoing dependency confusion attempts, and last but not the least, the GitHub OAuth tokens compromise, that impacted a dozen organizations including npm.

Meet 'Distutil', not the distutils you know

In October 2021, a mysterious 'distutil' package was published to the Python Package Index (PyPI) registry. As of today, the package has been retrieved over 2,000 times via user-initiated downloads and automated mirrors.

The name might ring a bell as 'distutils' is a now-deprecated Python library that provided support for building and installing additional modules into a Python installation. 'Distutil' on the other hand is, what looks like a typosquatting attempt.

To be fair, the package's homepage does indicate "don't download this," and the code inside the package implies this is part of a pen-testing activity or similar research.

The 'setup.py' file within the 'Distutil' typosquat executes base64-encoded code:

As shown below, the code establishes a socket connection to a local IP address (perhaps a WiFi router or similar device) on port 4444—which is commonly used by Metasploit/Meterpreter exploits, further indicating this relates to pen-testing activity (likely, ethical research).

The package was brought to our attention by Uwe Maurer, Enterprise Architect at EnBW. Further research by Sonatype security researcher Juan Aguirre confirmed the package is indeed malicious and after our report to PyPI, 'distutil' was taken down.

'The 'distutil' package has assigned the sonatype-2022-2374 identifier within our security research catalog.

Spring4Shell attackers deploying cryptominers

A new report published by Trend Micro this week warns of active attempts by attackers to exploit the Spring4Shell vulnerability, assigned CVE-2022-22965 to deploy cryptocurrency miners.

"These cryptocurrency miners have the potential to affect a large number of users, especially since Spring is the most widely used framework for developing enterprise-level applications in Java, with its open source nature making it more readily adaptable for developers and companies," state Nitesh Surana and Ashish Verma of Trend Micro.

"Furthermore, the Spring framework is not just a standalone piece of software but is part of the Spring ecosystem, which provides components for cloud, data, and security, among others."

Be sure to patch Spring4Shell in your environments, and check out the Spring4shell Exploit Resource Center that provides latest Spring4Shell advice and real-time download statistics, such as, a whopping 78% of all Spring download requests made to Maven Central are for versions vulnerable to Spring4Shell!

OSS tool claiming to add Google Play apps to Windows 11 drops malware instead

As reported by BleepingComputer this month, The Powershell Windows Toolbox utility on GitHub claimed to help users add native Google Play apps to Windows 11, but secretly installed malware.

"When Windows 11 was released in October, Microsoft announced that it will allow users to run native Android apps directly from within Windows," writes Lawrence Abrams of BleepingComputer.

The feature generated much enthusiasm among users wanting to install Android apps on Windows 11, but was followed by disappointment when users realized Microsoft only allowed Amazon App Store apps.

As opposed to using tools like Android Debug Bridge (ADB) to sideload Google Play Apps on their PCs, some turned to alternate solutions like the open source Powershell Windows Toolbox.

In addition to fulfilling some of its promised activities, however, Powershell Windows Toolbox contained a scary snippet of highly obfuscated code:

The PowerShell obfuscated code consists of just a few characters: `{`, `}`, ` `, `$`, and '+' and drops a trojan hosted on Cloudflare workers.

The malicious GitHub repository has since been taken down. Make sure to clean up your PC and run a full antivirus scan should you have installed the dubious open source tool.

Dependency confusion: An ongoing problem

Sonatype's automated malware detection systems, offered as part of Sonatype Repository Firewall, continue to spot new dependency confusion packages — both malicious and those part of ethical research — multiple times a day.

Some of this week's packages are listed below:

@bigid-ui/components
@uieng/messaging-api
abchdefntofknacuifnt
aiohttp-proxies-connector
aiohttp-socks-test-connector
alba-website
bigid-filter-recursive-parser
bigid-permissions
bigid-query-object-serialization
citrix-translate
eth-mnemonic-utils
finco
generator-code-dependencies-versions
jptest
jptest1
polymer-shim-styles
react-transition-group-community-version
sloffle
stale-dnscache
yo-code-dependencies-versions

Of note are the 'aiohttp-proxies-connector' and 'aiohttp-socks-test-connector' malicious packages named after AIOHTTP client/server framework that keep reappearing on PyPI because of a persistent threat actor imitating the framework to drop trojans.

The development follows this month's dependency confusion attempt against the VMware VSphere SDK library and its users, caught and blocked by Sonatype.

Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds. 

article - repo firewall flowchart

Sonatype Repository Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start.

Ransomware gangs target Exchange servers via ProxyShell

Hive ransomware affiliates are actively targeting Microsoft Exchange servers vulnerable to ProxyShell CVEs: CVE-2021-34473, CVE-2021-34523, CVE-2021-31297. And, it isn't surprising that multiple ransomware gangs have previously exploited ProxyShell in the past. Make sure to patch your Exchange servers against the flaw.

This information comes from security and analytics company Varonis, called in to investigate the attack against one of its customers.

GitHub OAuth token incident hit npm, dozens of orgs

Last but not the least, check out GitHub's official advisory on the security incident that involved compromised OAuth user tokens.

On April 12, GitHub Security team discovered that an attacker had abused OAuth user tokens stolen from third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.

As of April 18th, GitHub notified owners of private repositories in cases where the contents of these repos were downloaded by threat actors by abusing the stolen OAuth user tokens issued to Heroku and Travis CI.

"We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats which could be abused by an attacker," states Mike Hanley, GitHub's Chief Security Officer.

 

Tags: github, vulnerabilities, dependency confusion, DevZone, Sonatype Repository Firewall

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.