Cybersecurity researchers have identified 116 malicious packages on the Python Package Index (PyPI) repository designed to infect Windows and Linux systems with a custom backdoor. Sometimes, the final payload is a variant of the infamous W4SP Stealer, a simple clipboard monitor to steal cryptocurrency, or both, noted investigators.
The packages are estimated to have been downloaded over 10,000 times since May 2023. The threat actors behind the activity have been observed using three techniques to bundle malicious code into Python packages: via a test.py script, embedding PowerShell in the setup.py file, and incorporating it in obfuscated form in the __init__.py file.[1]
Regardless of the method used, the campaign's end goal is to compromise the targeted host with malware, primarily a backdoor capable of remote command execution, data exfiltration, and taking screenshots. The backdoor module is implemented in Python for Windows and in Go for Linux. The attack chains also culminate in deploying W4SP Stealer or a clipper malware designed to keep close tabs on a victim's clipboard activity and swap the original wallet address, if present, with an attacker-controlled address.
See: https://redskyalliance.org/xindustry/bandit-stealer-to-go
The development is the latest in a wave of compromised Python packages attackers have released to poison the open-source ecosystem and distribute a medley of malware for supply chain attacks. It is also the newest addition to a steady stream of bogus PyPI packages that have acted as a stealthy channel for distributing stealer malware. In May 2023, researchers revealed another cluster of libraries engineered to propagate Sordeal Stealer, which borrows its features from W4SP Stealer.
In November 2023, malicious packages masquerading as seemingly innocuous obfuscation tools were found to deploy a stealer malware codenamed BlazeStealer. "Python developers should thoroughly vet the code they download, especially checking for these techniques, before installing it on their systems," the researchers cautioned.
The disclosure also follows the discovery of npm packages targeting an unnamed financial institution as part of an "advanced adversary simulation exercise." The names of the modules, which contained an encrypted blob, have been withheld to protect the organization's identity. This decrypted payload contains an embedded binary that cleverly exfiltrates user credentials to a Microsoft Teams webhook that is internal to the target company.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2023/12/116-malware-packages-found-on-pypi.html
Comments