The Perils of Using Open Source Components
Imagine you’re a developer working on the next big thing in crypto apps, using popular open-source components to speed up your coding. Unexpectedly, you find yourself including a package that not only does what you need but also steals cryptocurrency on any system it’s installed on. This disastrous outcome is brought to you by ‘crytic-compilers.’
Sonatype’s automated malware detection systems recently flagged a package named ‘crytic-compilers’ on PyPI. It closely mimics a legitimate Python library known to crypto developers for compiling smart contracts—digital agreements stored on the blockchain. This counterfeit package, tracked as sonatype-2024-1561, was identified on May 1, 2024. Before being removed from PyPI, it had already been downloaded 436 times.
Choose Your Components Wisely
The ‘crytic-compilers’ package is particularly cunning. It not only imitates the name of the legitimate ‘crytic-compile’ utility but also aligns its version numbers with the authentic library, which sees over 170,000 downloads every month. While the real library’s latest version is 0.3.7, ‘crytic-compilers’ starts at 0.3.8 and continues up to 0.3.11, suggesting it might be a newer version.
Some versions of the counterfeit library, like 0.3.9, even attempt to install the real ‘crytic-compile’ library to avoid arousing suspicion. The deception becomes more dangerous with version 0.3.11, which checks if the system is running Windows. If so, it executes a bundled file named ‘s.exe.’
External security researcher Dhanesh Dodia, who also encountered this fake package, notes that the similar naming conventions can easily confuse users. Given that the genuine ‘crytic-compile’ package has 141 GitHub stars and is a dependency for 465 repositories, it’s clear why it’s a target within the crypto development community.
Russia-Linked Lumma Windows Stealer Targets Crypto Wallets
Thankfully, the malicious ‘s.exe’ has been flagged by several antivirus engines. This malware, like other crypto stealers, employs stealth techniques to evade detection by researchers and malware sandboxes. It also drops suspicious executables and accesses Windows registry settings.
A significant aspect of this malicious executable is its connection to various domains and IP addresses:
- acceptabledcooeprs[.]shop – 104[.]21.59.156
- boredimperissvieos[.]shop – 172[.]67.186.30
- holicisticscrarws[.]shop – 172[.]67.183.72
- miniaturefinerninewjs[.]shop – 172[.]67.173.139
- obsceneclassyjuwks[.]shop – 104[.]21.20.88
- plaintediousidowsko[.]shop – 104[.]21.53.146
- sweetsquarediaslw[.]shop – 172[.]67.203.170
- zippyfinickysofwps[.]shop – 172[.]67.148.231
These domains are Indicators of Compromise (IOCs) linked to Lumma, also known as LummaC2 stealer. This command-and-control (C2) trojan hunts for browser passwords and crypto wallets, transmitting this sensitive information to cybercriminals. The domains have ‘/api’ endpoints, a common feature of Lumma-linked domains, are registered on Namecheap, and use Cloudflare’s DDoS protection. Additionally, geo-blocks prevent access from certain IP addresses.
Lumma’s Diverse Distribution Approach
Written in C and circulating since August 2022, Lumma stealer is a Windows trojan targeting cryptocurrency wallets and browser extensions. It is available as a Malware-as-a-Service (MaaS) on Russian-speaking forums on the dark web, allegedly developed by a threat actor known as "Shamel."
Lumma has reemerged multiple times, using various distribution channels, such as trojanized bootleg apps, phishing emails targeting YouTube creators, and pirated games with cheats. Recently, threat actors have also employed drive-by downloads to distribute fake browser updates on compromised or illicit websites. These fake updates ultimately install Lumma stealer.
Sonatype’s discovery of ‘crytic-compilers’ highlights how seasoned cybercriminals are targeting Python developers by exploiting open-source repositories like PyPI to distribute their data theft tools.
Protecting Against Counterfeit Components
Users of Sonatype Repository Firewall are safeguarded against counterfeit components like ‘crytic-compilers,’ which would be blocked from entering their builds. Sonatype periodically updates its blocklists as more similar packages emerge and as investigations into such campaigns continue. If you’re not yet protected by Sonatype, consider reaching out to see Repository Firewall in action.
In conclusion, while open-source components can significantly accelerate development, they also pose risks if not chosen carefully. Developers must remain vigilant and employ robust security measures to protect their projects and users from malicious threats.
