FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI), an open repository for Python-developed software packages, to upload malware-infected packages. This exploitation of PyPI’s infrastructure poses significant risks to users.
FortiGuard Labs team recently identified a PyPI malware author, “WS,” uploading malicious packages to PyPI, estimating over 2000 potential victims. The identified packages, including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, show attack methodologies that resemble the attacks identified by Checkmarx in 2023.
These packages contain base64-encoded Python scripts, which are executed depending on the victim’s operating system. The packages deploy Whitesnake PE malware on Windows devices or a Python script to steal information from Linux devices.
What’s interesting in this scheme is that Python scripts are using a new method to transmit stolen data, using a range of IP addresses as the destination instead of a single fixed URL. This helps ensure successful data transmission even when one server fails.
Recently identified packages primarily target Windows users, whereas previous ones targeted both Linux and Windows users. The objective is to exfiltrate sensitive information from victims.
The Whitesnake PE payload is a Python-compiled executable created using the PyInstaller tool, displaying an incomplete script file ‘main.pyc’ and another file ‘addresses.py.’ This is rather suspicious. ‘Main.pyc’ is clandestine code that copies itself to the Windows startup folder for autorun, probes logical drives, and monitors the count of running instances.
It also retrieves clipboard contents and compares them against predefined cryptocurrency address patterns, prompting it to overwrite the clipboard with corresponding addresses from ‘addresses.py’, potentially deceiving victims into directing cryptocurrency transactions to an unexpected destination.
The payload, an encrypted.NET executable launches an invisible window right after its installation and adds itself to Windows Defender‘s exclusion list. It then creates a scheduled task to run every hour on the compromised device. The task connects a malicious IP to a client using “socket.io” and collects sensitive user data, including IP address and host credentials.
The payload captures wallet and browser data and sends it to a suspicious IP address via a remote server as a.zip file with multiple encryption layers, which the attacker extracts and exfiltrates. Debugging revealed strings that indicated information stolen from a wide range of devices, such as cryptocurrency services, applications, and browsers.
The research reveals how easily a single malware author can distribute multiple info-stealing packages into the PyPI library, highlighting the need for vigilance when using open-source packages.
“Information-stealing malware is an increasingly pertinent and pressing subject. Safeguarding against such persistent adversaries demands a strategic and forward-thinking approach to fortify your defences,” FortiGuard Labs researchers concluded.
- Luna Grabber Malware Hits Roblox Devs Through npm Packages
- 6 official Python repositories plagued with cryptomining malware
- GitHub Abused to Spread Malicious Packages on PyPI in Image Files
- NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package
- FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data