This infostealer has a vicious sting for Python developers

Petya nagscreen
(Image credit: Wikipedia)

Cybersecurity researchers from Checkmarx have discovered more than two dozen malicious packages on PyPI, a popular repository for Python developers, and released their findings in a new report

These malicious packages, designed to look almost identical to legitimate ones, try to trick reckless developers into downloading and installing the wrong one, thus distributing malware. 

The practice is known as typosquatting and it’s quite popular among cybercriminals that attack software developers.

Infostealer thefts

To hide the malware, the attackers are using two unique approaches: steganography, and polymorphism. 

Steganography is the practice of hiding code inside an image, which allows threat actors to distribute malicious code through seemingly innocent .JPGs and .PNGs. 

Polymorphic malware, on the other hand, changes the payload with every install, thus successfully avoiding antivirus programs and other cybersecurity solutions.

Here, the attackers used these techniques to deliver WASP, an infostealer capable of grabbing people’s Discord accounts, passwords, cryptocurrency wallet information, credit card data, as well as any other information on the victim’s endpoint deems interesting. 

Once identified, the data is sent back to the attackers via a hard-coded Discord webhook address. 

The campaign seems to be a marketing stunt, as apparently the researchers spotted the threat actors advertising the tool on the dark web for $20 and claiming that it's undetectable. 

Furthermore, the researchers believe this to be the same group that was behind a similar attack that was first reported earlier this month by researchers at Phylum and Check Point. Back then, it was said that a group dubbed Worok was distributing DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft, since at least September 2022. 

Given its toolkit, the researchers believe Worok to be the work of a cyberespionage group that works quietly, likes to move laterally across target networks, and steal sensitive data. It also seems to be using its own, proprietary tools, as the researchers haven’t observed them being used by anyone else. 

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
The Python banner logo on a computer screen running a code editor.
More malicious Python packages are on the loose, experts warn
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments