North Korean state-sponsored hackers have been identified as the culprits behind a malicious campaign known as VMConnect, which involved the upload of harmful packages to the PyPI (Python Package Index) repository.
One of these packages masqueraded as the VMware vSphere connector module vConnector. The campaign was executed by a subgroup of the North Korean Lazarus hackers known as Labyrinth Chollima, as revealed by a report from ReversingLabs, a software supply chain security company.
These malicious packages were introduced into the PyPI repository in early August, with one named VMConnect particularly targeting IT professionals in search of virtualization tools. Although the VMConnect package was eventually removed from PyPI, it had already garnered 237 downloads.
In addition, two more packages named ‘ethter’ and ‘quantiumbase’ were downloaded 253 and 216 times respectively, and these packages were identified as containing the same code.
The hackers behind the campaign deployed various tactics, including creating packages like ‘tablediter’ and ‘requestspro’ that mimicked legitimate software projects. By appending terms like “plus” and “pro” to the package names, the hackers aimed to make them appear as enhanced versions of well-known software.
These malicious packages featured minimal content differences from their legitimate counterparts, but these differences were primarily in the “init.py” file, which executed a malicious function designed to gather data from infected machines.
Furthermore, the attackers used a sophisticated process to exfiltrate the stolen data. After collecting information from infected machines, the data was sent to command and control (C2) servers via a POST HTTP request. The servers responded with an obfuscated Python module that included execution parameters and a download URL for the next payload stage.
While the full scope of the campaign remains challenging to assess due to the C2 server’s behavior, ReversingLabs researchers have gathered enough evidence to link the VMConnect campaign to the North Korean Lazarus APT group, indicating their involvement in this complex cyber operation.
