Security researchers are alerting about an ongoing supply chain attack that uses malicious Python packages to distribute an information stealer. The attackers have been active since October 2022. The attack was uncovered by investigators on 01 November 2022, with the attackers copying existing popular libraries and injecting a malicious ‘import’ statement into them. The purpose of the injected code is to infect the victim’s machine with a script that runs in the background. The script, which fetches the victim’s geolocation, contains a modified version of an information stealer called Wasp.
The attackers have managed to infect hundreds of victims to date, while actively releasing new packages to continue the campaign. Steganography is used to hide the malicious code inside packages. The payload is polymorphic, meaning that different code results each time the second and third stage URLs are loaded, which helps evade detection and ensures persistence.
Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video.
The Wasp malware can steal a great deal of information from victims’ machines, including Discord account information, passwords, credit card data, crypto wallets, and local files. WASP is an info-stealing malware that steals all the victim’s Discord accounts, passwords, crypto wallets, credit cards, and other interesting files on the victim’s PC. It sends the stolen data back to the attacker through a hard-coded Discord webhook address. WASPoperators claim that it is fully undetectable.
The threat actor behind these attacks is offering their malware on cybercrime forums, claiming the code is fully undetected. Researchers were able to link Wasp’s author to a Steam account and to a YouTube channel containing videos on building Discord hacking tools. Since the beginning of the campaign, the attacker has created tens of new Python packages and numerous fake user accounts that mimic legitimate libraries and accounts.
The level of manipulation used by software supply chain attackers is increasing as attackers get even more experience. It seems this attack is ongoing, and whenever the security team of Python deletes his packages, he quickly maneuvers and creates a new identity or simply uses a different name.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings