Rewterz Threat Alert – Discovery of BlazeStealer Malware Within Python Packages on PyPI – Active IOCs

Severity

High

Analysis Summary

A couple of malicious Python packages are targeting developer machines in order to steal sensitive data by utilizing the Python Package Index (PyPI). The packages pretend to be harmless obfuscation tools, but in reality, they carry a malware dubbed as BlazeStealer.

On 8^th November, the researchers warned that BlazeStealer is a dangerous malware capable of performing a number of malicious activities, like stealing passwords, exfiltrating data, launching keyloggers, executing host commands, and encrypting files. Since developers who engage in code obfuscation work with sensitive information, it becomes even more dangerous as the threat actors see them as valuable targets.

The latest campaign started around January 2023, and it utilizes eight packages called Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood. The last package was published recently in October. These come with setup.py and init.py files designed to fetch a Python script that is hosted on a remote server and gets executed immediately after installation.

“It retrieves an additional malicious script from an external source, enabling a Discord bot that gives attackers complete control over the victim’s computer,” said the security researchers.

It is also able to make the infected system unusable by turning up CPU usage, forcing a blue screen of death (BSoD) error, and inserting a Windows Batch script in the startup directory to shut down the computer.

The majority of the malicious packages being downloaded are in the U.S., Russia, China, Ireland, Croatia, Hong Kong, Spain, and France. A total number of 2,438 downloads were done before the packages were taken down.

The development comes when a security firm discovered a whole collection of crypto-themed npm modules with stealthy capabilities of delivering a next-stage malware. These modules are: puma-com, erc20-testenv, blockledger, cryptotransact, and chainflow.

Within the last few years, open-source repositories have become a widely-used way for attackers to distribute malware. Over 13,700 malicious packages have been discovered across various ecosystems that were used to execute suspicious code during installation.

Impact

• Sensitive Data Theft
• File Encryption
• Financial Loss

Indicators of Compromise

MD5

• https://transfer.sh/get/wDK3Q8WOA9/start.py
• http://91.206.178.125/files/npm.mov

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly review the dependencies of your open-source projects and consider using package-lock files or version pinning to ensure that you’re using trusted and verified packages.
• Use automated security scanning tools to analyze dependencies for known vulnerabilities or suspicious code.
• Provide training to developers and team members on secure coding practices, the risks of third-party dependencies, and the importance of code reviews.
• Implement access control measures on your code repositories to restrict who can contribute or make changes to the codebase.
• Maintain regular backups of your critical data to ensure data recovery in case of a security incident.
• Use antivirus and intrusion detection systems to help identify and block malicious activity.
• Implement network segmentation to limit the spread of malware or malicious activities within your network.
• Enforce strong password management practices for your systems and accounts.
• Implement MFA wherever possible to add an extra layer of security.