In a further sign that cybercriminals are always looking for new ways to trick users into downloading malware, it is emerged that the question and answer (Q&A) platform known as Stack Exchange has been abused to direct unsuspecting developers towards fake Python packages capable of draining their cryptocurrency wallets.
Fake Python Packages: Here’s What We Know About Them
“Upon installation [dei falsi pacchetti python]this code would automatically execute, initiating a series of events designed to compromise and control the victim’s systems, even exfiltrating their data and draining their cryptocurrency wallets.“, Checkmarx researchers Yehuda Gelb and Tzachi Zornstain said in a relationship.
The campaign, which began on June 25, 2024, specifically targeted cryptocurrency users involved with Raydium and Solana. The list of fraudulent packages discovered as part of the activity is listed below:
The packages have been collectively downloaded 2,082 times and are no longer available for download from the Python Package Index (PyPI) repository.
How this malware works
The malware hidden in the Python package acted as a complete information stealer, collecting a wide range of data, including web browser passwords, cookies, credit card details, cryptocurrency wallets, and information associated with messaging apps such as Telegram, Signal, and Session.
It also came with features to capture system screenshots and search for files containing GitHub recovery codes and BitLocker keys; The collected information was then compressed and exfiltrated to two different Telegram bots run by the hackers.
Separately, a backdoor component in the malware granted the attacker persistent remote access to victims’ machines, enabling potential future exploits and long-term compromises.
The attack chain spanned multiple stages, with the “raydium” package listing “spl-types” as a dependency, in an attempt to hide the malicious behavior and give users the impression that it was legitimate.
The Curious Side of This Fake Python Package
A notable aspect of the campaign is the use of Stack Exchange as a vector to promote adoption, posting seemingly helpful answers that referenced the package in question to answer developer questions about running swap transactions in Raydium using Python.
“By choosing a thread with high visibility — garnering thousands of views — the attacker maximized his reach potential.“, the researchers said, adding that it was done to “give credibility to this package and ensure its wide adoption.”
While the answer no longer exists on Stack Exchange, cybersecurity experts have found references to “raydium” in another unanswered question posted on the Q&A site dated July 9, 2024: “I have been struggling for nights to get a swap on solana network working in python 3.10.2 installed solana, solders and Raydium but I can’t get it to work“, said one user.
References to “raydium-sdk” are emerged even in a post titled “How to Buy and Sell Tokens on Raydium using Python: A Step-by-Step Solana Guide” (“How to Buy and Sell Raydium Tokens Using Python: A Step-by-Step Guide by Solana“) which was shared by a user named SolanaScribe on the social publishing platform Medium on June 29, 2024.
It is currently unclear when the packages were removed from PyPI, as two other users responded to the Medium post seeking help from the author to install “raydium-sdk” just six days ago; Checkmarx said the post was not the work of the cybercriminal responsible for the fake Python package..
This is not the first time cybercriminals have resorted to such a malware distribution method; in May, Sonatype revealed how a package called pytoileur was promoted via another Q&A service called Stack Overflow to facilitate cryptocurrency theft.
If nothing else, the development is evidence that attackers are exploiting trust in these community-driven platforms to spread malware, leading to large-scale supply chain attacks.
“A single compromised developer can inadvertently introduce vulnerabilities into an organization’s entire software ecosystem, potentially impacting the entire corporate network.“, the researchers said. “This attack serves as a wake-up call for individuals and organizations to review their security strategies..”
The development comes as Fortinet FortiGuard Labs detailed a malicious PyPI package called zlibxjson that contained functionality to steal sensitive information, such as Discord tokens, cookies stored in Google Chrome, Mozilla Firefox, Brave, and Opera, and passwords stored by browsers; The library attracted a total of 602 download before being removed from PyPI.
“These actions can lead to unauthorized access to user accounts and exfiltration of personal data, clearly classifying the software as malicious.“, has said security researcher Jenna Wang.
#Python #Stack #Exchange #Distribute #Fake #Packages
