Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
Hundreds of malicious Python packages found stealing sensitive data
Message
<blockquote data-quote="Jakesu" data-source="post: 34" data-attributes="member: 7"><p>A malicious campaign that researchers observed growing more complex over the past half year, has been planting on open-source platforms hundreds of info-stealing packages that counted about 75,000 downloads.</p><p></p><p>The campaign has been monitored since early April by analysts at Checkmarx's Supply Chain Security team, who discovered 272 packages with code for stealing sensitive data from targeted systems.</p><p></p><p>The attack has evolved significantly since it was first identified, with the package authors implementing increasingly more sophisticated obfuscation layers and detection evading techniques.</p><p></p><p><strong>Data and crypto theft</strong></p><p></p><p>The researchers say that they starting seeing a pattern "within the Python ecosystem starting from early April 2023."</p><p></p><p>One example provided is the “_init_py” file, which loads only after checking it's running on a target system and not in a virtualized environment - a typical a sign of a malware analysis host.</p><p></p><p><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/check-vm.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><table style='width: 100%'><tr><td>Checking for virtualization (Checkmarx)</td></tr></table><p>Once it launches, it targets the following information on the infected systems:</p><ul> <li data-xf-list-type="ul">Antivirus tools running on the device.</li> <li data-xf-list-type="ul">Tasks list, Wi-Fi passwords, and system information.</li> <li data-xf-list-type="ul">Credentials, browsing history, cookies, and payment information stored on web browsers.</li> <li data-xf-list-type="ul">Data in cryptocurrency wallet apps like Atomic and Exodus.</li> <li data-xf-list-type="ul">Discord badges, phone numbers, email addresses, and nitro status.</li> <li data-xf-list-type="ul">Minecraft and Roblox user data.</li> </ul><p>Additionally, the malware can take screenshots and steal individual files from the compromised system such as the Desktop, Pictures, Documents, Music, Videos, and Downloads directories.</p><p></p><p>The victim’s clipboard is also monitored constantly for cryptocurrency addresses, and the malware swaps them with the attacker’s address to divert payments to wallets under their control.</p><p></p><p><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/clipper-function.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><table style='width: 100%'><tr><td>The clipper function (Checkmarx)</td></tr></table><p>The analysts estimate that the campaign has directly stolen approximately $100,000 in cryptocurrency.</p><p></p><p><strong>App manipulation</strong></p><p></p><p>Checkmarx reports that the malware used in this campaign goes a step further from typical info-stealing operations, engaging in app data manipulation to perform a more decisive blow.</p><p></p><p>For example, the electron archive of the Exodus cryptocurrency wallet management app is replaced to alter core files, enabling the attackers to bypass Content-Security-Policy and exfiltrate data.</p><p></p><p><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/exodus-manipulation.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>On Discord, if certain settings are enabled, the malware injects JavaScript code that executes when the client restarts.</p><p></p><p>The malware also employs a PowerShell script in an elevated terminal to manipulate Windows “hosts” so that security products running on the breached device cannot contact their servers.</p><p></p><p><strong>Evolution of the attack</strong></p><p></p><p>According to the researchers, the malicious code from this campaign in packages from April was clearly visible, as it was plain text.</p><p></p><p>In May, though, the authors of the packages started adding encryption to hinder analysis. In August, the researcher noticed that multi-layer obfuscation had been added to the packages.</p><p></p><p><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/obfuscation.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><table style='width: 100%'><tr><td>Base64 obfuscation in the code (Checkmarx)</td></tr></table><p>In a separate report by Checkmarx’s researcher Yahuda Gelb, it was mentioned that two of the most recent packages used no less than 70 layers of obfuscation.</p><p></p><p>Also in August, the malware developers included the capability to turn off antivirus products, added Telegram to the list of targeted apps, and introduced a fallback data exfiltration system.</p><p></p><p><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/evolution.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><table style='width: 100%'><tr><td>Evolution of the malware (Checkmarx)</td></tr></table><p>The researchers warn that open-source communities and developer ecosystems continue to be susceptible to supply chain attacks, and threat actors upload malicious packages on widely used repositories and version control systems, such as GitHub, or package regitries like PyPi and NPM, daily.</p><p></p><p>Users are recommended to scrutinize the projects and package publishers they trust and be vigilant about typosquatting package names.</p></blockquote><p></p>
[QUOTE="Jakesu, post: 34, member: 7"] A malicious campaign that researchers observed growing more complex over the past half year, has been planting on open-source platforms hundreds of info-stealing packages that counted about 75,000 downloads. The campaign has been monitored since early April by analysts at Checkmarx's Supply Chain Security team, who discovered 272 packages with code for stealing sensitive data from targeted systems. The attack has evolved significantly since it was first identified, with the package authors implementing increasingly more sophisticated obfuscation layers and detection evading techniques. [B]Data and crypto theft[/B] The researchers say that they starting seeing a pattern "within the Python ecosystem starting from early April 2023." One example provided is the “_init_py” file, which loads only after checking it's running on a target system and not in a virtualized environment - a typical a sign of a malware analysis host. [IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/check-vm.png[/IMG] [TABLE] [TR] [TD]Checking for virtualization (Checkmarx)[/TD] [/TR] [/TABLE] Once it launches, it targets the following information on the infected systems: [LIST] [*]Antivirus tools running on the device. [*]Tasks list, Wi-Fi passwords, and system information. [*]Credentials, browsing history, cookies, and payment information stored on web browsers. [*]Data in cryptocurrency wallet apps like Atomic and Exodus. [*]Discord badges, phone numbers, email addresses, and nitro status. [*]Minecraft and Roblox user data. [/LIST] Additionally, the malware can take screenshots and steal individual files from the compromised system such as the Desktop, Pictures, Documents, Music, Videos, and Downloads directories. The victim’s clipboard is also monitored constantly for cryptocurrency addresses, and the malware swaps them with the attacker’s address to divert payments to wallets under their control. [IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/clipper-function.png[/IMG] [TABLE] [TR] [TD]The clipper function (Checkmarx)[/TD] [/TR] [/TABLE] The analysts estimate that the campaign has directly stolen approximately $100,000 in cryptocurrency. [B]App manipulation[/B] Checkmarx reports that the malware used in this campaign goes a step further from typical info-stealing operations, engaging in app data manipulation to perform a more decisive blow. For example, the electron archive of the Exodus cryptocurrency wallet management app is replaced to alter core files, enabling the attackers to bypass Content-Security-Policy and exfiltrate data. [IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/exodus-manipulation.png[/IMG] On Discord, if certain settings are enabled, the malware injects JavaScript code that executes when the client restarts. The malware also employs a PowerShell script in an elevated terminal to manipulate Windows “hosts” so that security products running on the breached device cannot contact their servers. [B]Evolution of the attack[/B] According to the researchers, the malicious code from this campaign in packages from April was clearly visible, as it was plain text. In May, though, the authors of the packages started adding encryption to hinder analysis. In August, the researcher noticed that multi-layer obfuscation had been added to the packages. [IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/obfuscation.png[/IMG] [TABLE] [TR] [TD]Base64 obfuscation in the code (Checkmarx)[/TD] [/TR] [/TABLE] In a separate report by Checkmarx’s researcher Yahuda Gelb, it was mentioned that two of the most recent packages used no less than 70 layers of obfuscation. Also in August, the malware developers included the capability to turn off antivirus products, added Telegram to the list of targeted apps, and introduced a fallback data exfiltration system. [IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/PyPI/12/evolution.png[/IMG] [TABLE] [TR] [TD]Evolution of the malware (Checkmarx)[/TD] [/TR] [/TABLE] The researchers warn that open-source communities and developer ecosystems continue to be susceptible to supply chain attacks, and threat actors upload malicious packages on widely used repositories and version control systems, such as GitHub, or package regitries like PyPi and NPM, daily. Users are recommended to scrutinize the projects and package publishers they trust and be vigilant about typosquatting package names. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
Hundreds of malicious Python packages found stealing sensitive data
Top