Malicious Python Package PyMafka

Earlier this month, security researchers discovered a malicious package in the Python Package Index (PyPI) registry. Once in the system, PyMafka fetches a relevant Cobalt Strike beacon based on the victim’s OS.

The name suggests that PyMafka is an attempt at typosquatting a PyKafka – a cluster-aware Kafka protocol client for Python.

Detect PyMafka

In order to identify whether your environment was compromised by PyMafka, use the Sigma rules below developed by the talented members of SOC Prime Threat Bounty Program, Osman Demir and Sohan G:

Possible pyMafka Command and Control by Download of Mach-O Binary (via file_event)

Suspicious PyMafka Python Package Drops Cobalt Strike by Detection of Misspelling (via cmdline)

Suspicious PyMafka Malware Defense Evasion by Detection of Associated Files (via file_event)

The detections are available for all market-leading SIEM, EDR & XDR solutions, aligned with the latest MITRE ATT&CK® framework v.10.

Eager to increase visibility into existing and emerging threats? The View Detections button will take you to SOC Prime’s rich library of detection content available for all registered users. Experienced threat hunters would make a valuable asset to the Threat Bounty Program, where they can increase their threat hunting velocity and contribute to collaborative cyber defense along with 23,000+ security leaders.

View Detections Join Threat Bounty

PyMafka Campaign Analysis

Sonatype security analysts report a new typosquatting attack scenario. Adversaries distribute a malicious Python package dubbed PyMafka, leveraging the name similarity to a Kafka client for Python named PyKafka. The attack scenario is as follows: The victim-to-be downloads a PyMafka package and opens it. The Python script within the package identifies the OS that the victim is using to fetch an OS-appropriate variant of trojan, which is a Cobalt Strike beacon.

The executable showed behavior consistent with Cobalt Strike attacks, and all the variants were spotted contacting China-based IP addresses. The package is no longer available in the PyPI repository, having reached a little over 300 downloads before it was taken down. The adversaries behind the PyMafka campaign remain unknown.

With a growing adversaries’ interest in abusing popular open-source software repositories, The SOC Prime platform helps defend against new hacking solutions faster and more efficiently. Test the content streaming capabilities of the CCM module and help your organization empower daily SOC operations with cyber threat intelligence. Keep the finger on the pulse of the fast-paced environment of cybersecurity risks and get the best mitigation solutions with SOC Prime.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts