Malicious Code Alert: PyPI Packages Used to Distribute Malware
FortiGuard Labs has uncovered a troubling recent trend involving cybercriminals exploiting the Python Package Index (PyPI)—a well-liked open-source repository for Python software. These bad actors are sneaking malware-laden packages into PyPI, posing serious threats to unsuspecting users.
Identifying the Culprit
Recently, the team at FortiGuard Labs pinpointed a malware writer referred to as “WS,” who has been liable for uploading harmful packages to PyPI. The estimated variety of victims could exceed 2000. Among the nefarious packages identified are nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. Their attack strategies bear a striking resemblance to those documented by Checkmarx in 2023.
How the Malware Works
These malicious packages include base64-encoded Python scripts, which spring into motion in keeping with the victim’s operating system. On Windows systems, the packages deploy Whitesnake PE malware, while Linux users face a Python script designed to siphon off their information.
Innovative Data Transmission
Interestingly, the Python scripts are adopting a novel approach to transmit the stolen data. Instead of counting on a single URL, they use a spread of IP addresses as destinations, ensuring data gets through even when one server goes down.
Windows Users within the Crosshairs
The latest wave of packages primarily targets Windows users, diverging from previous attacks which geared toward each Windows and Linux systems. The endgame is to extract sensitive data from victims.
The Whitesnake Payload
The Whitesnake PE payload stands out as a Python-compiled executable made with the PyInstaller tool. It includes an incomplete script file named ‘main.pyc’ and one other file called ‘addresses.py.’ Suspiciously, ‘main.pyc’ is covert code that embeds itself within the Windows startup folder to autorun, scans logical drives, and keeps an eye fixed on the variety of running instances.
Moreover, it snatches clipboard contents and checks them against preset cryptocurrency address patterns, potentially swapping them with addresses from ‘addresses.py’—a sneaky trick to misdirect cryptocurrency transactions.
Digging Deeper into the Payload
This payload, an encrypted .NET executable, initiates an invisible window upon installation and adds itself to Windows Defender’s exclusion list. It sets up a scheduled task to run hourly on the infected machine, connecting to a malicious IP via “socket.io” to reap sensitive user info, like IP addresses and host credentials.
It also captures wallet and browser data, sending it off to a shady IP as a multi-layer-encrypted .zip file, which the attackers then extract and exploit. Debugging has exposed strings showing data stolen from various devices, including those related to cryptocurrency services, apps, and browsers.
Stay Vigilant: A Community Responsibility
This research highlights how a single cybercriminal can flood PyPI with multiple info-stealing packages, underscoring the importance of vigilance when coping with open-source software.
FortiGuard Labs researchers remind us, “Information-stealing malware is an increasingly pertinent and pressing subject. Safeguarding against such persistent adversaries demands a strategic and forward-thinking approach to fortify your defenses.”
RELATED ARTICLES
- Luna Grabber Malware Hits Roblox Devs Through npm Packages
- 6 official Python repositories plagued with cryptomining malware
- GitHub Abused to Spread Malicious Packages on PyPI in Image Files
- NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package
- FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data
Image Credit: hackread.com
