Deceptive Python Package ‘VMConnect’ Targets VMware vSphere Users

A recent cybersecurity incident has brought to light a malicious Python package on the Python Package Index (PyPI), posing as the VMware vSphere connector module ‘vConnector’. This package, named ‘VMConnect’, was specifically designed to target IT professionals, exploiting their trust in public repositories and the legitimacy of the VMware vSphere tools.

The Deceptive VMware vConnector Package

A package named ‘VMConnect’, found on PyPI, was identified as a malicious entity impersonating the VMware vSphere connector module ‘vConnector’. VMware vSphere is a suite of virtualisation tools, and vConnector is a Python module used by developers and system administrators, downloaded approximately 40,000 times a month via PyPI.

The malicious package was uploaded onto PyPI on July 28, 2023, and had gathered 237 downloads until its removal on August 1, 2023. Sonatype’s investigation revealed two more packages with identical code as ‘VMConnect’, namely ‘ethter’ and ‘quantiumbase’, downloaded 253 and 216 times, respectively.

The packages contained the functionality of the projects they mimicked, which could trick victims into believing they were running legitimate tools and prolong the duration of an infection. Signs of malicious intent in the package’s code were evident in the ‘init.py’ file that contains a base-64-encoded string that is decoded and executed on a separate process, running every minute to retrieve data from an attacker-controlled URL and execute it on the compromised machine.

IOCs

The URL these packages ping is hxxp://45.61.139[.]219/paperpin3902.jpg (in some versions, the variation involved the domain: hxxps://ethertestnet[.]pro/paperpin3902.jpg). Despite the link appearing like an image file, it serves plaintext code.

Source: BleepingComputer

Relevant MITRE ATTACK TTPs

The TTPs (Tactics, Techniques, and Procedures) relevant to this threat are:

1. T1190 – Exploit Public-Facing Application: The malicious packages on PyPI exploit the trust users place in public repositories to download and install software. The packages mimic legitimate ones, tricking users into downloading and installing them.
2. T1105 – Remote File Copy: The malicious packages contain code that retrieves data from an attacker-controlled URL and executes it on the compromised machine.
3. T1027 – Obfuscated Files or Information: The malicious packages use base-64 encoding to obfuscate malicious code.
4. T1071 – Standard Application Layer Protocol: The malicious packages use HTTP to communicate with the attacker-controlled server.
5. T1496 – Resource Hijacking: By running on the victim’s machine, the malicious packages hijack resources.

Conclusion

The discovery of the malicious VMware vConnector packages underscores the importance of maintaining robust security measures and staying informed about the latest threats in the cybersecurity landscape. IT professionals and organisations must remain vigilant to protect their systems and data.

Further Reading

1. Fake VMware vConnector package on PyPI targets IT pros – BleepingComputer
2. Malicious Python packages found on PyPI – Sonatype Blog
3. Python Package Index removes 3,653 malicious packages – ZDNet
4. PyPI removes 70 malicious packages downloaded 172,000 times – Threatpost