Pulse Detail — Threat Intelligence

PULSE NAME

Attackers leverage PyPI to sideload malicious DLLs

WHITE Enterprise Strategy CyberHunter_NL 2024-02-21 Modified: 2024-02-21

IOCs

MEDIUM VOLUME

Open-source platforms and code are increasingly being used to deliver malware to software supply chains, according to researchers from ReversingLabs, who discovered two suspicious packages on the Python package manager.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1566 T1014 T1547 T1027 T1057 T1550 T1127 T1204 T1199 T1140 T1553 T1195

MALWARE FAMILIES

Cobalt Strike

Indicators of Compromise (24)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	5fca3bf478369aad61d40dd096a9e291	MD5 of 84c75536b279a85a5320f058514b884a016bc8c8	2024-02-21
FileHash-MD5	8d0778fb445094eace16d18bf078023f	MD5 of 1f9fcf86a56394a7267d85ba76c1256d12e3e76b	2024-02-21
FileHash-MD5	a1be3261c569f85d2239d83e18042a39	MD5 of 2dc80f45540d0a3ea33830848fcf529f98ea2f5e	2024-02-21
FileHash-MD5	e3214c81339540a3804fca656f5aea7d	—	2024-02-21
FileHash-SHA1	1f9fcf86a56394a7267d85ba76c1256d12e3e76b	—	2024-02-21
FileHash-SHA1	1fc236e94b54d3ddc4b2afb8d44a19abd7cf0dd4	—	2024-02-21
FileHash-SHA1	2dc80f45540d0a3ea33830848fcf529f98ea2f5e	—	2024-02-21
FileHash-SHA1	575bcc28998ad388c2ad2c2ebc74ba583f5c0065	—	2024-02-21
FileHash-SHA1	73ece3d738777e791035e9c0c94bf4931baf3e3a	—	2024-02-21
FileHash-SHA1	84c75536b279a85a5320f058514b884a016bc8c8	—	2024-02-21
FileHash-SHA1	a1bb4531ce800515afa1357b633c73c27fa305cf	—	2024-02-21
FileHash-SHA1	a65bce340366f724d444978dcdcd877fa2cacb1c	—	2024-02-21
FileHash-SHA1	dfc8afe5cb7377380908064551c9555719fd28e3	—	2024-02-21
FileHash-SHA1	e3a7098e3352fdbb5ff5991e9e10dcf3b43b1b86	—	2024-02-21
FileHash-SHA256	8c7423e2c833effc1193c6511c88a14ba48e5e3af9fd5c05f80f44c8d8ef71a4	SHA256 of 2dc80f45540d0a3ea33830848fcf529f98ea2f5e	2024-02-21
FileHash-SHA256	eee6b8f69bd3e65fa29142e7965b7a0d8bdec03d36e7c67266746ae54ebb493a	SHA256 of 84c75536b279a85a5320f058514b884a016bc8c8	2024-02-21
FileHash-SHA256	f81e8b6ca1e0c4ee7ca8668df4b3792ccb1608eed8bbf94a2247d869264540f2	SHA256 of 1f9fcf86a56394a7267d85ba76c1256d12e3e76b	2024-02-21
URL	https://cdn.0c.sk/1101012.zip	dc2f75883ff1f7578734585820314e35c6bc04b66c2cda1f14272a2c552f60a9	2024-02-21
URL	https://cdn.0c.sk/1101012.zip.	—	2024-02-21
URL	https://fus.rngupdatem.buzz	—	2024-02-21
URL	https://us.archive-ubuntu.top/components/an.gif?type=lastest	—	2024-02-21
hostname	fus.rngupdatem.buzz	—	2024-02-21
hostname	us.archive-ubuntu.top	—	2024-02-21
URL	https://www.facebook.com/tr?id=1076912843267184&ev=PageView&noscript=1	—	2024-02-21

References (1)

↗ https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls