Thursday, March 28

Criminals steal data by spoofing popular open source package


On August 8, CheckPoint published a report on the discovery of 10 malicious Python packages on PyPI, the most widely used repository for software developers. Following this investigation, Kaspersky experts used the internal automated open source repository monitoring system and discovered 2 even more dangerous malicious packages in the same repository. Masquerading as one of the most popular open source packages called ‘requests’, they steal crypto wallet data, Discord tokens, cookies, and even Steam and Minecraft credentials from victims’ devices, potentially affecting millions of users.

Pretending to be one of the most popular open source packages, nicknamed ‘requests’, the only difference from malicious Python packages is in the naming: ‘ultrarequests’ and ‘pyquest’ instead of the original name. To trick victims into installing a malicious package, attackers have used the description of legitimate ‘requests’ packages to spoof installation numbers from downloads and user reviews. The links in the description also lead to actual pages of the ‘requests’ package, as well as to the email address of its author.

After several stages of script obfuscation, users receive a Trojan written in Python, dubbed W4SP Stealer by its author, in code. The malware can save browser cookies and passwords, collect data from popular crypto wallets such as MetaMask, Atomic, and Exodus, as well as collect Discord tokens and Steam and Minecraft credentials. With this data, attackers can quickly break into accounts and hijack them, emptying victims’ accounts.

Register for free for GTC 2022 here


All collected data is sent to the operator via a Discord webhook and presented in a custom interface format, where the attacker can quickly see the victim’s email, phone, IP, and billing information.

Also Read  Third member of Cardiff family dies from 'poisoning' in Bangladesh | uknews

Even if the victim decides to change the email address, password, or billing information to protect themselves, the malware will still collect the changed information and send it to the attackers through the Discord channel until the malware is completely removed from the device. . The attackers also insert a special script into the code to achieve persistence on the infected device. However, the attackers compiled the wrong code, so this method does not work correctly, so persistence is not achieved.

The criminal also analyzes the browsing history and then sends a list of website credentials with URLs containing keywords “mail”, “card”, “bank”, “buy”, “sell”. Interestingly, the keyword list also contains several French words: “mot de passe” (password), “mdp” (short for “mot de passe”), “banque” (bank), “compte” (account), suggesting that the attackers are likely targeting French-speaking users primarily.

“Programmers have long realized that it takes too long to write boilerplate code for each application and they created repositories, open platforms where any developer can share open source packages to speed up the development process. Their popularity and openness to uploading any package makes them extremely vulnerable to cybercriminal attacks, as they could affect thousands of users in a single move. These types of attacks are not uncommon, for example, we recently discovered four malicious packages in the npm repository, hunting for Discord tokens and credit card information. Because of this, you can’t trust everything you download by default, even from reputable repositories.” says Leonid Bezvershenko, a security analyst at Kaspersky’s Global Research and Analysis Team.

Also Read  Lost Banksy piece sprayed in Palestine reappears in Tel Aviv gallery | Israel

“We have already reported these malicious packages to the PyPI security team and have added detections for this malware to our products, so users running our solutions will be able to identify if they have been infected and remove the malware,” adds Igor Kuznetsov, Chief Security Analyst at Kaspersky’s Global Research and Analysis Team. Learn more at www.kaspersky.com



NVIDIA GTC 2022 Special | free registration here




diarioti.com

Leave a Reply

Your email address will not be published. Required fields are marked *