Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

code execution backdoor #30

Open
di1l0o opened this issue Dec 6, 2022 · 0 comments
Open

code execution backdoor #30

di1l0o opened this issue Dec 6, 2022 · 0 comments

Comments

@di1l0o
Copy link

di1l0o commented Dec 6, 2022

We discovered a malicious backdoor in the project's dependencies, affected versions are 56ccf40~c2439e3855df9296a2476e940adf35afbb833c20. Its malicious backdoor is the request package, the DeepFake-Detection/custom_docker_image/requirements.txt file has a dependency request.

image

Even if the request has been deleted by PyPI, many mirror sites have not completely deleted this package, so it can still be installed. For example: https://mirrors.neusoft.edu.cn/pypi/web/simple/request/

Using such a mirror site to download and install this item will be vulnerable.

image

Analysis of malicious function of request package:
1.Remote download of malicious code
When the request package is installed, the setup.py file in the package will be actively executed. The setup.py file contains the logic for the attacker to remotely download and execute malicious code. At the same time, the C2 domain name is encoded and obfuscated. The decrypted C2 address is: https://dexy.top/request/check.so.
2.Release the remote control Trojan and persist it
The malicious code loaded remotely during the installation of the request package includes two functions:
Release the remote control Trojan to the .uds folder of the current user's HOME directory. The Trojan name is _err.log (for example, /root/.uds/_err.log). The content of the _err.log remote control Trojan script is encoded and compressed by base64, which reduces the size and enhances the confrontation.
Implant malicious backdoor commands in .bashrc to achieve persistence
3.Issue stealing instructions
The attacker issues python secret stealing instructions through the remote control Trojan to steal sensitive information (coinbase account secret)
After decrypting the stealing instruction, the function is to request the C2 service: http://dexy.top/x.pyx, and remotely load the stealing Trojan.
Some of the functions of the remotely loaded secret stealing Trojan are shown below, which are used to steal browser cookies, coinbase accounts and passwords, etc.

Repair suggestion: replace request in requirements.txt with requests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant