Podcast Summary: CyberWire Daily – "Crypto client or cyber trap? [Research Saturday]"

Release Date: January 4, 2025
Host/Author: N2K Networks
Guest: Carlos Zanki, Reverse Engineer at Reversing Labs
Research Topic: Malicious Pypi Crypto Pay Implants, Infostealer Code

Introduction

In the January 4, 2025 episode of CyberWire Daily, hosted by Dave Buettner, listeners are introduced to a critical discussion on a recent cybersecurity threat involving malicious packages in the Python Package Index (PyPI). The episode, titled "Crypto client or cyber trap? [Research Saturday]," features an in-depth conversation with Carlos Zanki from Reversing Labs, who delves into the intricacies of detecting and mitigating threats within open-source software repositories.

Research Overview: Malicious PyPI Packages

Carlos Zanki presents his research on Malicious PyPI Crypto Pay Implants, Infostealer Code, highlighting a sophisticated attack vector targeting cryptocurrency trading applications. The discussion begins with the detection process:

[01:16] Carlos Zanki: "So in this case the detection was triggered by machine learning model and we have a review procedure of those detections to see which are true positives and determine what type of malware in this case we had."

Zanki explains that their machine learning models flagged certain PyPI packages, prompting a detailed review to ascertain the legitimacy of these detections.

Detection and Analysis Methodology

Zanki outlines the methodology used to uncover the malicious code embedded within seemingly legitimate packages. He emphasizes the role of machine learning in initial detection followed by rigorous manual review:

[02:02] Carlos Zanki: "We took a detailed look and spotted well-observed obfuscation pattern of base64 encoding and zlib compression. So when we encounter something like that, even though sometimes you find something using it in legitimate purposes, most often it is malware."

The team identified obfuscation techniques such as base64 encoding and zlib compression, common methods used by attackers to conceal malicious payloads within code.

Deobfuscation and Malware Functionality

The conversation progresses to the deobfuscation process, where Zanki describes the steps taken to reveal the hidden malware:

[03:31] Carlos Zanki: "It's several rounds of base64 decoding and reversing string and doing zlib decompression. So you do what the attacker did just in reverse order."

Upon deobfuscation, the malicious code was found to be designed to steal sensitive information related to cryptocurrency trading, indicating a clear intent for financial gain:

[04:06] Carlos Zanki: "The goal was financial gain. Most often we see in latest time threat actors try to steal cryptocurrencies and secrets related to cryptocurrency trading to quickly get to financial gain."

Differentiating Attack Vectors

Zanki differentiates this attack from more common supply chain attacks such as typosquatting or impersonation. Instead of mimicking popular packages, the attacker created a legitimate-looking crypto trading tool and gradually built a user base before introducing malicious versions:

[04:44] Carlos Zanki: "In this case we had developer creating his own crypto trading tool, likely forking from some other legitimate previously deployed tool and waiting for some time, several months in this case to build up a user base and then publish malicious version to them."

This strategy underscores a shift towards more sophisticated and stealthy approaches in targeting software supply chains.

Injecting Malicious Code Without GitHub Changes

A critical aspect of the attack was the injection of malicious code directly into the PyPI package without altering the corresponding GitHub repository. Zanki explains how attackers exploit the separation between source code repositories and package distribution platforms:

[06:23] Carlos Zanki: "You can separate your publishing process in. If you control your publishing process, you can separate it however you wish. So you have PYPI assets tokens. You can publish Source code to GitHub and then take your source code, add some malicious code to it, package it to the PYPI package format and publish that version to PyPI."

This method allows attackers to maintain a clean appearance on public repositories while distributing malicious versions through official channels.

Differential Analysis Between Package Versions

To detect such sophisticated attacks, Zanki discusses the use of differential behavior analysis between different versions of a package. This technique involves comparing the behaviors extracted from each version to identify suspicious changes:

[07:50] Carlos Zanki: "We compare two versions of package and gives you a way to see what behaviors have been introduced in a new version."

This approach enables the identification of anomalies without requiring in-depth code analysis, making it an efficient tool for threat detection.

Potential Impact of Undiscovered Malicious Packages

Zanki warns about the severe consequences if such malicious packages go undetected:

[13:39] Carlos Zanki: "It could result in financial loss for the users who installed this package and used it in their projects. So basically it's stealing of cryptocurrencies."

The stealthy nature of these implants means that significant financial losses and data breaches could occur before detection.

Risks of Relying on Open Source Repositories

The discussion broadens to the inherent risks of using open-source repositories in the software supply chain. Zanki notes the evolving sophistication of malware:

[14:06] Carlos Zanki: "The software the risks are emerging on year basis. It's not just the amount of malware present there, but it's also the level of sophistication that we see each new year."

He emphasizes that even reputable packages with millions of downloads can become vectors for malicious activities if compromised.

Reporting and Response from PyPI

Zanki shares insights into the responsible disclosure process they followed by reporting the malicious package to PyPI. He praises the swift and effective response from the PyPI team:

[16:29] Carlos Zanki: "They put that package into quarantine until they determine if the package is truly malicious or it was false positive reporting. And their response were quick. I believe just a few hours the package was quarantined and in a few days later it was removed."

This collaboration between researchers and repository maintainers is crucial in mitigating threats swiftly.

Recommendations for Enhanced Security

Concluding the discussion, Zanki offers several recommendations for developers and organizations to safeguard against such threats:

[17:39] Carlos Zanki: "You should double check everything you have in your code base. So basically, security web everything you plan to use from open source package repositories."

He advocates for comprehensive security vetting of all dependencies, utilizing dedicated tools, and adopting a proactive approach to monitor and verify the integrity of open-source packages.

Conclusion

Dave Buettner wraps up the episode by thanking Carlos Zanki for his valuable insights into the evolving landscape of software supply chain threats. He encourages listeners to stay vigilant and implement robust security measures to protect their projects and organizations from similar malicious intrusions.

Notable Quotes

• Detection Trigger:
  Carlos Zanki [01:16]: "The detection was triggered by machine learning model and we have a review procedure of those detections to see which are true positives and determine what type of malware in this case we had."

• Obfuscation Patterns:
  Carlos Zanki [02:02]: "We spotted well observed obfuscation pattern of base64 encoding and zlib compression."

• Deobfuscation Process:
  Carlos Zanki [03:31]: "You do what the attacker did just in reverse order."

• Attack Intent:
  Carlos Zanki [04:06]: "The goal was financial gain."

• Sophisticated Attack Vector:
  Carlos Zanki [04:44]: "Creating his own crypto trading tool... build up a user base and then publish malicious version to them."

• Reporting to PyPI:
  Carlos Zanki [16:29]: "Their response were quick. I believe just a few hours the package was quarantined and in a few days later it was removed."

• Security Recommendations:
  Carlos Zanki [17:39]: "You should double check everything you have in your code base."

Final Thoughts

This episode of CyberWire Daily provides a comprehensive examination of the vulnerabilities within open-source package repositories and the sophisticated methods attackers employ to infiltrate and exploit them. Through Carlos Zanki's expert analysis, listeners gain valuable insights into the detection, analysis, and prevention of such threats, underscoring the importance of vigilant security practices in the software development lifecycle.