Full Report
Cybersecurity researchers have flagged a malicious Python library on the Python Package Index (PyPI) repository that facilitates unauthorized music downloads from music streaming service Deezer. The package in question is automslc, which has been downloaded over 104,000 times to date. First published in May 2019, it remains available on PyPI as of writing. "Although automslc, which has been
Analysis Summary
# Tool/Technique: automslc
## Overview
`automslc` is a malicious Python package distributed via the Python Package Index (PyPI). Its stated purpose is music automation and metadata retrieval, but its true function is to covertly bypass Deezer's access restrictions to facilitate the unauthorized bulk downloading and decryption of full audio tracks from the Deezer music streaming service, effectively turning user systems into part of an illicit music piracy network.
## Technical Details
- Type: Malware/Compromised Package (Software Supply Chain Attack)
- Platform: Python/Systems running Python environments where PyPI dependencies are installed.
- Capabilities: Unauthorized bulk downloading of copyrighted music (Deezer tracks), bypassing DRM/API restrictions, communication with C2 server.
- First Seen: First published to PyPI in May 2019.
## MITRE ATT&CK Mapping
This activity primarily focuses on initial access via software supply chain compromise and subsequent impact/command and control.
- **TA0001 - Initial Access**
- T1195 - Supply Chain Compromise
- T1195.001 - Compromise Software Supply Chain
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implicit, as it communicates with a C2 over a network port)
## Functionality
### Core Capabilities
- Infiltrates systems via PyPI installation.
- Logs into the Deezer platform using hardcoded and user-supplied credentials.
- Gathers track-related metadata.
- Downloads and decrypts full audio files, violating Deezer's API terms regarding local/offline storage.
- Periodically reports download status to a C2 server.
### Advanced Features
- Embedded hardcoded credentials for immediate access.
- Communication with an external C2 server for centralized control over the piracy operation.
## Indicators of Compromise
- File Hashes: [Not explicitly listed in the context]
- File Names: automslc (Package Name)
- Registry Keys: [Not applicable/listed]
- Network Indicators:
- C2 Server: `54.39.49[.]17:8031` (Defanged)
- Associated Domain: `automusic[.]win` (Defanged)
- Behavioral Indicators: Unauthorized downloading and decryption of audio files from Deezer; unauthorized network communication to the specified C2 server/port.
- *Note: The context also mentions a separate malicious package, `@ton-wallet/create`, which steals mnemonic phrases and exfiltrates data to a Telegram bot. This is a separate attack described within the same article but not strictly part of the `automslc` functionality.*
## Associated Threat Actors
- Threat Actor(s) operating the coordinated music piracy operation (Identity not explicitly named, but implied control via C2).
## Detection Methods
- Signature-based detection: Signatures targeting the specific C2 IP/domain, or hash analysis if available.
- Behavioral detection: Monitoring Python processes (especially those installing via pip) making external connections to the C2 IP/port or performing suspicious decryption/file I/O related to streaming media services.
- YARA rules: [Not available in the context]
## Mitigation Strategies
- Prevention measures: Scrutinize all external dependencies installed via PyPI, especially those with high download counts that appear to have been dormant for long periods (published in 2019, flagged later).
- Hardening recommendations: Implement dependency scanning tools to vet package behavior before installation; restrict network egress from development/production environments to unusual ports or domains.
## Related Tools/Techniques
- `@ton-wallet/create`: Another malicious PyPI/npm package detailed in the context, which utilizes a different technique (mnemonic phrase exfiltration) targeting the TON cryptocurrency ecosystem.