TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM
The TeamPCP threat actor compromised the Telnyx Python SDK on PyPI, injecting malicious code that executes upon import. The attack utilizes split-file injection and WAV audio steganography to deliver credential-stealing malware, establishing persistence on Windows systems and exfiltrating data via plaintext HTTP.
Authors: John Rainier Navato
Source:
Trend Micro
- filename%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exeMalicious PE executable dropped for boot persistence on Windows, masquerading as a legitimate Microsoft tool.
- urlhxxp://83[.]142[.]209[.]203:8080/hangup.wavURL hosting the Windows payload hidden via WAV steganography.
- urlhxxp://83[.]142[.]209[.]203:8080/ringtone.wavURL hosting the Linux/macOS payload hidden via WAV steganography.
Key Takeaways
- Attackers compromised Telnyx Python SDK versions 4.87.1 and 4.87.2 on PyPI, executing malicious code upon import.
- The payload utilizes WAV-based audio steganography to hide credential-stealing malware downloaded at runtime, bypassing static analysis.
- The campaign introduces Windows support, establishing persistence by dropping a PE file masquerading as msbuild.exe in the Startup folder.
- Exfiltration infrastructure shifted from HTTPS domains to plaintext HTTP over a raw IP address, creating new network detection opportunities.
- Systems that installed the affected versions should be considered fully compromised and downgraded to version 4.87.0 immediately.
Affected Systems
- Windows
- Linux
- macOS
- Python environments using Telnyx SDK versions 4.87.1 or 4.87.2
Attack Chain
The attack initiates when a victim imports the compromised Telnyx package, triggering malicious code injected into _client.py. The script downloads a structurally valid WAV file containing a hidden payload via XOR steganography. On Windows, it extracts a PE file, saves it as msbuild.exe in the Startup folder for persistence, and executes it silently. On Linux/macOS, it runs a credential harvester in memory, encrypts the stolen data using OpenSSL, and exfiltrates it via a curl POST request to the C2 server.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: TrendAI Vision One
The article provides a hunting query for TrendAI Vision One to detect network connections to the campaign's C2 server.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can readily detect the creation of executable files in the Startup folder, the use of 'attrib +h' to hide files, and the execution of curl/openssl commands spawned by a Python process. Network Visibility: High — The shift to plaintext HTTP on port 8080 makes the WAV file downloads and exfiltration traffic (including the specific X-Filename header) highly visible to network monitoring tools. Detection Difficulty: Moderate — While the steganography and split-file injection effectively evade static analysis, the behavioral indicators (Startup folder drops, plaintext HTTP C2, specific headers) are straightforward to detect with standard telemetry.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- File Creation (Sysmon Event ID 11)
- Network Connections (Sysmon Event ID 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for Python processes initiating HTTP connections over port 8080 to download .wav files, indicating potential steganographic payload delivery. | Network Connections, Process Creation | Delivery | Low |
| Search for file creation events in the Windows Startup folder where the filename is msbuild.exe, especially if the parent process is Python. | File Creation, Process Creation | Persistence | Low |
| Monitor for the execution of the 'attrib +h' command targeting .lock files in the Startup folder, used for anti-replay evasion. | Process Creation | Defense Evasion | Low |
| Hunt for outbound HTTP POST requests containing the custom header 'X-Filename: tpcp.tar.gz', indicating data exfiltration. | Network Traffic | Exfiltration | Low |
| Look for Python processes spawning openssl, tar, and curl in rapid succession, matching the Linux/macOS exfiltration chain. | Process Creation | Exfiltration | Medium |
Control Gaps
- Static code analysis tools (bypassed by split-file and runtime decoding)
- MIME-type and file extension filters (bypassed by structurally valid WAV files)
Key Behavioral Indicators
- Python process creating msbuild.exe in Startup folder
- attrib +h executed on .lock files
- HTTP POST with X-Filename: tpcp.tar.gz header
False Positive Assessment
- Low. The combination of specific C2 IPs, custom HTTP headers (X-Filename: tpcp.tar.gz), and dropping msbuild.exe in the Startup folder via Python is highly anomalous and specific to this campaign.
Recommendations
Immediate Mitigation
- Downgrade Telnyx installations from 4.87.1 or 4.87.2 to the last known clean release (4.87.0).
- Treat any system that imported the affected versions as fully compromised and initiate incident response procedures.
Infrastructure Hardening
- Block outbound traffic to the known C2 IP address 83.142.209.203.
- Implement network monitoring for unexpected plaintext HTTP traffic on port 8080, particularly involving media files.
User Protection
- Pin all PyPI dependencies by hash to prevent automatic updates to compromised package versions.
- Monitor CI/CD environments for unexpected audio file downloads or unauthorized outbound connections.
Security Awareness
- Educate developers on the risks of supply chain attacks and the importance of dependency pinning and verification.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- T1027.011 - Obfuscated Files or Information: Steganography
- T1027.010 - Obfuscated Files or Information: Command Obfuscation
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1564.001 - Hide Artifacts: Hidden Files and Directories
- T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
- T1059.006 - Command and Scripting Interpreter: Python
Additional IOCs
- Ips:
83[.]142[.]209[.]203- Primary C2 and exfiltration IP address
- Urls:
hxxp://83[.]142[.]209[.]203:8080/- Exfiltration endpoint for stolen credentials
- File Paths:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe.lock- Anti-replay lock file used to prevent redundant executionstelnyx/_client.py- Compromised Python SDK file containing split-file injection
- Command Lines:
- Purpose: Hide the anti-replay lock file in the Startup folder | Tools:
attrib.exe| Stage: Defense Evasion |attrib +h - Purpose: Execute the dropped Windows payload silently without a window | Tools:
Python subprocess| Stage: Execution |subprocess.Popen([p], creationflags=0x08000000) - Purpose: Generate a session key for encrypting stolen data | Tools:
openssl| Stage: Collection/Encryption |openssl rand -out - Purpose: Archive the encrypted payload and session key | Tools:
tar| Stage: Collection |tar -czf - Purpose: Exfiltrate the archived data to the C2 server | Tools:
curl| Stage: Exfiltration |curl -s -o /dev/null -w %{http_code} -X POST
- Purpose: Hide the anti-replay lock file in the Startup folder | Tools:
- Other:
tpcp.tar.gz- Filename used for the exfiltrated archive