Malicious packages in PyPI use stealthy exfiltration methods
Tags
attack-pattern: Data Dns - T1071.004 Dns - T1590.002 Dns Server - T1583.002 Dns Server - T1584.002 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 Connection Proxy - T1090
Show in Graph
Common Information
Type Value
UUID 6410390d-b4d2-4b19-a6b8-eec8cdca4f74
Fingerprint a52109188cf23715
Analysis status DONE
Considered CTI value 0
Text language
Published Nov. 18, 2021, 4:06 p.m.
Added to db Sept. 11, 2022, 12:41 p.m.
Last updated Nov. 17, 2024, 10:43 p.m.
Headline Python Malware Imitates Signed PyPI Traffic in Novel Exfiltration Technique
Title Malicious packages in PyPI use stealthy exfiltration methods
Detected Hints/Tags/Attributes 56/1/22
Source URLs
Redirection Url
Details Source https://jfrog.com/blog/python-malware-imitates-signed-pypi-traffic-in-novel-exfiltration-technique
Details Source https://jfrog.com/blog/python-malware-imitates-signed-pypi-traffic-in-novel-exfiltration-technique/
URL Provider
Details Provider Source level domain
Details jfrog.com jfrog.com
Attributes
Details Type #Events CTI Value
Details Domain 1 
psec.forward.io.global.prod.fastly.net
Details Domain 9 
requestbin.net
Details Domain 1 
yxznlysc47wvrb9r9z211e1jbah15q.burpcollaborator.net
Details Domain 1 
nda.ya.ru
Details Domain 5 
pepy.tech
Details Domain 43 
pypi.org
Details Domain 9 
pypi.python.org
Details Domain 1 
req.post
Details Domain 138 
setup.py
Details Domain 1 
898b5ca5e76134be965acd.bufferover.run
Details Domain 21 
jfrog.com
Details Email 6 
research@jfrog.com
Details File 10 
pypi.py
Details File 127 
setup.py
Details File 124 
os.sys
Details File 144 
requirements.txt
Details IPv4 1 
104.248.19.57
Details IPv4 4 
192.168.1.69
Details Url 1 
https://nda.ya.ru/t/ihlfdcyw3jcvqz
Details Url 1 
https://pypi.python.org
Details Url 1 
https://pypi.python.org/images/guid
Details Url 1 
https://898b5ca5e76134be965acd.bufferover.run/yow_utils