The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Pymafka Targets macOS, Windows, Linux

Jun 17, 2022 2:17:39 PM / by PolySwarm Tech Team

Pymafka_Blog

Executive Summary

Sonatype recently reported on Pymakfa, a malicious Python package in the PyPl registry dropping Cobalt Strike on macOS, Windows, and Linux.

Key Takeaways

  • Pymakfa is a malicious Python package likely meant as a typosquat of the legitimate python library PyKafka.
  • Pymafka targets Windows, macOS, and Linux systems, dropping Cobalt Strike beacons on the victim machine.
  • At the time of discovery, less than one third of antivirus engines detected the samples as malicious.
What is Pymafka?

Pymakfa is a malicious Python package in the PyPl registry dropping Cobalt Strike on macOS, Windows, and Linux. Pymafka is an apparent attempt at a software supply chain attack targeting open-source code.

According to researchers at Sonatype, the Pymafka package appears to be a typosquat of PyKafka, a legitimate and popular library that serves as a programmer-friendly Apache Kafka client for Python. The legitimate PyKafka has been downloaded over 4,240,305 times by both users and mirrors/bots. The malicious Pymafka package has been downloaded around 300 times.

The malicious Pymafka package was first observed on the PyPl registry on May 17th. Pymafka’s setup.py script detects the victim’s platform (Windows, macOS, or Linux) and then downloads and executes a trojan crafted to target that operating system. The trojan is a Cobalt Strike beacon. On Windows systems, the location where the beacon is dropped is C:\Users\Public\iexplorer.exe, which is meant to masquerade as the legitimate Internet Explorer process iexplore.exe. The malicious executables targeting Windows and Mac are downloaded from 141.164.58[.]147 and attempt to contact the C2 at 39.106.227[.]92. On Windows systems, the payload persistently surveys the /updates.rss endpoint and sends requests containing encrypted cookie values, as is typical of Cobalt Strike beacons.  On Linux systems, the script attempts to download and run an env executable from 39.107.154[.]72.

Less than one third of antivirus engines detected the samples as malicious when the samples were first reported.

IOCs

PolySwarm has multiple samples of Pymafka.

137edba65b32868fbf557c07469888e7104d44911cd589190f53f6900d1f3dfb (win.exe)

4de4f47b7f30ae31585636afd0d25416918d244fcc9dfe50967a47f68bb79ce1 (pymafka-3.0.tar.gz)

8a2c50ccc85bc2befae27c73cd4c302d26d10ef94416e1ad25a79a68b9a6a3e4

B117f042fe9bac7c7d39eab98891c2465ef45612f5355beea8d3c4ebd0665b45 (macOS)

You can use the following CLI command to search for all Pymafka samples in our portal:

$ polyswarm link list -f Pymafka


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Windows, Linux, Python, Pymafka, Cobalt Strike

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts