On August 8, CheckPoint published a report on the discovery of 10 malicious Python packages on PyPI, the most widely used repository for software developers. Following this investigation, Kaspersky experts used the internal automated open source repository monitoring system and discovered 2 even more dangerous malicious packages in the same repository. Masquerading as one of the most popular open source packages called ‘requests’, they steal crypto wallet data, Discord tokens, cookies, and even Steam and Minecraft credentials from victims’ devices, potentially affecting millions of users.
Pretending to be one of the most popular open source packages, nicknamed ‘requests’, the only difference from malicious Python packages is in the naming: ‘ultrarequests’ and ‘pyquest’ instead of the original name. To trick victims into installing a malicious package, attackers have used the description of legitimate ‘requests’ packages to spoof installation numbers from downloads and user reviews. The links in the description also lead to actual pages of the ‘requests’ package, as well as to the email address of its author.
After several stages of script obfuscation, users receive a Trojan written in Python, dubbed W4SP Stealer by its author, in code. The malware can save browser cookies and passwords, collect data from popular crypto wallets such as MetaMask, Atomic, and Exodus, as well as collect Discord tokens and Steam and Minecraft credentials. With this data, attackers can quickly break into accounts and hijack them, emptying victims’ accounts.
All collected data is sent to the operator via a Discord webhook and presented in a custom interface format, where the attacker can quickly see the victim’s email, phone, IP, and billing information.
Even if the victim decides to change the email address, password, or billing information to protect themselves, the malware will still collect the changed information and send it to the attackers through the Discord channel until the malware is completely removed from the device. . The attackers also insert a special script into the code to achieve persistence on the infected device. However, the attackers compiled the wrong code, so this method does not work correctly, so persistence is not achieved.
The criminal also analyzes the browsing history and then sends a list of website credentials with URLs containing keywords “mail”, “card”, “bank”, “buy”, “sell”. Interestingly, the keyword list also contains several French words: “mot de passe” (password), “mdp” (short for “mot de passe”), “banque” (bank), “compte” (account), suggesting that the attackers are likely targeting French-speaking users primarily.
“Programmers have long realized that it takes too long to write boilerplate code for each application and they created repositories, open platforms where any developer can share open source packages to speed up the development process. Their popularity and openness to uploading any package makes them extremely vulnerable to cybercriminal attacks, as they could affect thousands of users in a single move. These types of attacks are not uncommon, for example, we recently discovered four malicious packages in the npm repository, hunting for Discord tokens and credit card information. Because of this, you can’t trust everything you download by default, even from reputable repositories.” says Leonid Bezvershenko, a security analyst at Kaspersky’s Global Research and Analysis Team.
“We have already reported these malicious packages to the PyPI security team and have added detections for this malware to our products, so users running our solutions will be able to identify if they have been infected and remove the malware,” adds Igor Kuznetsov, Chief Security Analyst at Kaspersky’s Global Research and Analysis Team. Learn more at www.kaspersky.com
NVIDIA GTC 2022 Special | free registration here
diarioti.com
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.