Security researchers detected a “mysterious” malicious Python package that downloads the Cobalt Strike malware on Windows, Linux, and macOS systems.
Called “pymafka,” the package masquerades as the legitimate popular library PyKafka, a programmer-friendly Kafka client for Python. According to Sonatype researchers, the malicious package has been downloaded approximately 300 times.
![Malicious Python Package [pymafka] Drops Cobalt Strike on macOS, Windows and Linux](https://cdn.sensorstechforum.com/wp-content/uploads/2022/03/advanced-persistent-threat-malware-backdoor-sensorstechforum-1024x585.jpg)
“On May 17th, a mysterious ‘pymafka’ package appeared on the PyPI registry. The package was shortly flagged by the Sonatype Nexus platform’s automated malware detection capabilities,” the researchers said.
What’s Inside the Malicious pymafka Package?
The very first thing to note about the malicious pymafka package is that it is capable of detecting the operating system in order to download the correct malware variant. The campaign is dropping the well-known Cobalt Strike trojan. The malware is popular among red teams and ethical hackers for simulating real-world cyberattacks, but it is also used by cybercriminals. For example, the LockBit ransomware gang has been known to use the Cobalt Strike beacon to infect its victims.
On Windows systems, specifically, the package tries to drop the Cobalt Strike beacon at ‘C:\Users\Public\iexplorer.exe’, which is a misspelling of the legitimate Internet Explorer process (iexplore.exe).
“The malicious executables being downloaded are ‘win.exe’ [VirusTotal], and ‘MacOS’ [VirusTotal], with their names corresponding to their target operating systems. Both of these are downloaded from the IP address 141.164.58[.]147, commissioned by the cloud hosting provider, Vultr,” the report added.
The said executables make attempts to connect to a China-based IP address, assigned to Alisoft (Alibaba). At the time the researchers submitted the samples to VirusTotal, less than a third of its antivirus engines detected them as malicious. It is curious to mention that, on the Windows OS, the payload persistently surveyed the ‘/updates.rss’ endpoint and continued sending encrypted cookie values in requests. This behavior is consistent with Cobalt Strike beacons.
As for Linux targets, the malicious Pythons script tried to download and run an “env” executable from another Alibaba-owned IP address. All these discoveries were reported to the PyPI registry, and the package was removed shortly after the report.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: