Electronic security Researchers from Checkmarx have discovered more than two dozen malicious packages on PyPI, a popular repository for Python developers, and have released their findings in a new package. Report (Opens in a new tab).
These malicious packages, designed to look almost identical to legitimate packages, attempt to trick reckless developers into downloading and installing the wrong package, thus distributing malware.
This practice is known as typo appropriation and is very common among cyber criminals who attack software developers.
Thefts
To hide malware, attackers use two unique methods: steganography and polymorphism.
Steganography is the practice of hiding code inside an image, which allows threat actors to distribute malicious code through apparently innocent JPGs and .PNGs.
On the other hand, polymorphic malware changes its payload with each installation, thus successfully sidestepping antivirus software and other cybersecurity solutions.
Here, the attackers used these methods to introduce WASP, an information maker capable of taking over people disagreement Accounts, passwords, cryptocurrency wallet information, credit card data, and any other information about the victim End point Considered interesting.
Once identified, the data is sent back to the attackers via an encrypted Discord webhook address.
The campaign appears to be a marketing ploy, as researchers have apparently caught threatening actors advertising the tool on the dark web for $20 and claiming to be undetectable.
Moreover, researchers believe that this is the same group that was behind a similar attack that was first reported earlier this month by researchers at div (Opens in a new tab) And the check point (Opens in a new tab). At the time, a group codenamed Worok was said to have been distributing DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft, since at least September 2022.
Because of its range of tools, researchers believe Worok is the work of a quietly operating cyberespionage group, who like to move laterally through target networks, stealing sensitive data. It also appears to use its own tools, as the researchers have not observed it being used by anyone else.
Across: log (Opens in a new tab)