Checkmarx Monitors Malicious Python Info-Stealing Packages
Packages Found in Roughly 75,000 Downloads
Overt Operator
October 06, 2023
A malicious campaign that has been ongoing for the past six months has raised concerns among researchers for its growing complexity and impact. The campaign has reportedly been monitored since April.
This campaign has targeted open-source platforms, infecting them with hundreds of info-stealing packages, resulting in approximately 75,000 downloads.
The attack, monitored by Checkmarx's Supply Chain Security team since April, has evolved significantly, with the attackers implementing advanced obfuscation layers and detection evasion techniques.
Sophisticated Attack Techniques
The researchers at Checkmarx's Supply Chain Security team noticed a pattern within the Python ecosystem in early April 2023. One specific example they discovered is the "_init_py" file, which is designed to execute only on a target system and not in a virtualized environment. This behavior is commonly associated with malware analysis hosts, indicating the presence of a potential threat.
Data and Crypto Theft
Once the malicious package is launched, it initiates an attack on various components of the infected system. The researchers have identified the following information targeted by the malware:
Antivirus Tools: The malware aims to identify and disable any antivirus tools running on the infected device, increasing its chances of remaining undetected.
System Information: The malware extracts system information, including the task list and Wi-Fi passwords, allowing the attackers to gain further control over the compromised system.
Web Browsers: The malware harvests sensitive information stored in web browsers, including credentials, browsing history, cookies, and payment information.
Cryptocurrency Wallet Apps: Users of popular cryptocurrency wallet apps like Atomic and Exodus are at risk, as the malware can steal their data and potentially access their digital assets.
Discord and Gaming Data: The attackers also target Discord badges, phone numbers, email addresses, nitro status, and gaming data from popular platforms like Minecraft and Roblox.
Additional Techniques
In addition to stealing data, the malware can take screenshots and access specific files from the compromised system, such as those stored in the Desktop, Pictures, Documents, Music, Videos, and Downloads directories. Furthermore, the malware constantly monitors the victim's clipboard for cryptocurrency addresses.
Once identified, the malware replaces the legitimate address with the attacker's address, redirecting payments to wallets under their control.
Magnitude of the Attack
The researchers estimate that this campaign has resulted in a substantial amount of stolen information, directly impacting app users and system owners.
The exact scope and scale of the attack are yet to be determined, but the sheer number of downloads and the evolving sophistication of the malware raise concerns about the extent of the damage caused.
The increasing complexity of the malicious campaign targeting open-source platforms is a cause for alarm.
With approximately 75,000 downloads of the info-stealing packages, the attackers have demonstrated their ability to adapt and evolve their techniques.
Individuals and organizations must remain vigilant and ensure their systems are protected against such sophisticated attacks. Regularly updating antivirus tools, implementing strong security measures, and staying informed about emerging threats are essential steps in safeguarding against these types of attacks.