Rewterz Threat Alert – Malicious Campaign Distributing Hundreds of Info-Stealing Python Packages – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have been monitoring a malicious campaign that has grown significantly over the past six months in which threat actors distributed hundreds of malicious packages on open-source platforms, having up to 75,000 downloads.

This campaign has been observed since early April and researchers discovered 272 packages of malicious code used to steal sensitive information from the victims. The threat has evolved a lot since the time it was first identified, and the threat actors have implemented many sophisticated techniques to evade detection.

A particular pattern has been noticed within the Python ecosystem since early April 2023, like the “_init_py” file loading only after it checks whether its on a virtual system or not, which is a common sign of malware presence. After the initialization, it starts harvesting information from the host, including antivirus software running on the system, credentials, browsing history, cookies, tasks list, Wi-Fi passwords, system information, etc.

The malware is also capable of taking screenshots and steal individual files from directories like Desktop, Pictures, Music, Documents, Downloads and Videos. It also has a clipping feature and can continuously monitor the compromised system’s clipboard for cryptocurrency addresses, which it replaces with the hacker’s address to direct the payments into their own wallets. The campaign has successfully stolen about $100,000 in cryptocurrency so far.

The researchers report that the malware has evolved from typical info-stealing operations to manipulating app data, like the archive of Exodus cryptocurrency wallet management app being replaced to change the main files, which then enables the hackers to easily bypass security and exfiltrate data.

The campaign has evolved significantly over the months, before the malicious code was clearly visible in April since it was plain text. However, in May, the authors added encryption to make analysis difficult. Later in August, they added multilayer obfuscation to the packages as well as the ability to turn off antivirus software.

The cybersecurity experts have issued a warning to the open-source communities and developers that they are the continuous target of these campaigns as threat actors daily upload malicious packages on repositories like GitHub. Users are highly recommended to download from trusted sources.

“The inherent low risk and simplicity of initiating such attacks ensure that existing attackers will persist in their activities, while new entrants will also commence experimenting and launching similar attacks.”, they conclude.

They also share the list of the malicious packages used in the campaign

Impact

• Sensitive Data Theft
• Credential Theft
• Financial Loss
• Cryptocurrency Theft

Indicators of Compromise

URL

• https://bananasquad.ru/downloadhandler
• https://bananasquad.ru/app.asar
• https://discord.com/api/webhooks/827123456789012345/getn1gga
• https://bananasquad.ru/handler
• https://paste.bingner.com/paste/fhvyp/raw
• https://kekwltd.ru/relay/bluescreen
• https://kekwltd.ru/relay/download

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly review the dependencies of your open-source projects and consider using package-lock files or version pinning to ensure that you’re using trusted and verified packages.
• Use automated security scanning tools to analyze dependencies for known vulnerabilities or suspicious code.
• Provide training to developers and team members on secure coding practices, the risks of third-party dependencies, and the importance of code reviews.
• Implement access control measures on your code repositories to restrict who can contribute or make changes to the codebase.
• Maintain regular backups of your critical data to ensure data recovery in case of a security incident.
• Use antivirus and intrusion detection systems to help identify and block malicious activity.
• Implement network segmentation to limit the spread of malware or malicious activities within your network.
• Enforce strong password management practices for your systems and accounts.
• Implement MFA wherever possible to add an extra layer of security.