Telegram, AWS, and Alibaba Cloud users are being targeted by a fresh malware campaign that strategically buries malicious code within specific software functions to make it harder to detect.
That’s the verdict from cybersecurity firm Checkmarx, which says that it discovered the campaign – attributed to a mysterious threat actor it calls “kohlersbtuh15” – in September.
The cyberattacker used the Python programming software repository Pypi as their theater of operations, launching attacks using typosquatting and starjacking tactics.
The former occurs when a cybercriminal attempts to fool a target into clicking on a link that mimics a legitimate domain name, with just one character altered, to disguise an attack, while the latter entails linking a malicious package to an unrelated benign one for similar purposes.
“Rather than the common strategy of planting malicious code within the setup files of Python packages, which would auto-execute upon package installation, this attacker embedded malicious scripts deep within the package, within specific functions,” said Checkmarx. “This meant that the malicious code would only execute when a specific function is called during regular usage.”
It described this as a “unique approach to hiding malicious code” that not only helps to conceal it “but also targets specific operations or functionalities, making the attack more effective and difficult to detect.”
Checkmarx added: “Furthermore, since many security tools scan for automatically executable malicious scripts, embedding the code within functions increases the likelihood of evading such security measures.”
Another tactic used by the attacker is to make the poisoned packages on Pypi appear popular in an apparent psychological trick aimed at encouraging a victim to click on them, lured by a false sense of confidence.
“Starjacking and typosquatting are popular methods used by attackers to increase the chances of their attacks succeeding and infecting as many targets as possible,” said Checkmarx. “These techniques aim to enhance the credibility of the package by making it appear popular and emphasizing the number of other developers who use it.”
Falling foul of such ruses runs the risk of ruining infected networks once malware packages are implanted in coding and can also have knock-on effects further down the line, it warned.
“In the best-case scenario, you may end up infecting high-privileged developer accounts within your network,” said Checkmarx. “If you are less fortunate, you could end up infecting your customers with compromised software releases.”