A new PyPI malware noticed to be authored by a malicious ID tagged “WS” has been reported by Fortinet. The malware was discovered to upload malicious packages to the Python Package Index (PyPI), and is capable of stealing users credentials and sensitive information.
Traces of these packages, uploaded by the author “ws”, includes igpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, TestLibs111.
According to Gaby Xiong of Fortinet:
“The identified identified packages exhibit attack methodologies, similar to those outlined in checkmarx blog post published 4-months ago.”
Fortinet a cybersecurity organisation, was able to uncover this sinister move using a proprietary AI OSS malware detection system. This software, was used to hunt, and monitor the threats imposed by the malware, and other cybersecurity threat in the wild.
On analysing the packages deployed by “ws”, it was discovered, that the malware payload varied. However, users of windows based operating systems, were major targets, with the sole aim of stealing sensitive data belonging to the infected victim by the malware.
In a sinister move, the malware was discovered to be deployed like a white snake , which is linked to a C2 (command-n-control) belonging to this malicious hacker, and also responsible for holding on to exfiltrated data. Fortinet reported that, over 2000 windows Os users, may have been infected by the malware, from installing these packages.
On distributing the malware:
Revealing on how the malware was distributed, no doubt the author has been planning these moves for months, as the python packages were notably uploaded discreetly over a period of months. Analysing each of PyPI packages uploaded by “ws” , also shows that malware capable of stealing sensitive information from victims device, were concealed in the various packages.
While patches and signatures were released, the malware author also progress to periodically newer versions of these packages with updated payloads. The goal, is to evade detection, and widen the nets of infected users.
Certainly releasing more sophisticated versions of these packages, and a wider range of users of these packages, increased the pool of the malware distribution, and stealing of sensitive informations from unsuspecting victims. It is certainly, unknown to these victims, that they have installed a malware from cloning one of these packages from the PyPI repositories.
Sensitive Information stolen:
In the report we dug further to have an understanding of the attackers goal, and sensitive information stolen. Undoubtedly like every other cyber espionage, and malware infestation, informations such as IP addresses, Browser and crypto wallet data were amongst a list of sensitive information stolen by the threat actors.
These key informations include:
- Login credentials on users devices which consist of informations and passwords stored in the browser, and crypto-login credentials.
- The malware also was capable of key logger functions, and captured every interaction done by the users keyboard and mouse.
- In addition to information stolen from the infected users browsers, includes browser history, and bookmarks, with chrome browser being the most impacted.
- while some variant of these packages infected with malware, searched for patterns on the victims clipboard to steal crypto wallet addresses, and the digital assets of those wallets.
Why windows based systems?
Previously recorded traces of the infected python packages were discovered to have impacted both windows and linux, however, the most recent updated version of the packages were predominantly targeting Windows users.
Then comes the question, why targeting window users ? Taking a hint from Microsoft being a major target of cyber-attacks, and most of which were successful, no doubt, that the attacker focused on window users for these reasons:
- The malware author certainly would have discovered writing malware codes for window based systems are less tasking, and more easy to maliciously steal sensitive information when compared to Linux based systems. Also, not ignoring the fact, that window users comprises of a wider population, when compared to Linux based systems.
- Subsequently, the techniques used by the payload certainly was designed to specifically to take advantage of vulnerabilities and weakness that are unique to windows based operating systems, and applications designed specifically for window users.
- With windows users being the major target, the malware author potentially could access a wide range of sensitive information such as credit card details and login credentials stored by web browsers, wallets, and other applications on Windows.
- Security limitation of windows system is another factor considered. As windows systems are known to be less security focused, when compared to linux based operating systems. Making initial infection and remaining undetected potentially easier for the malware to achieve on Windows.
At Fixitgearware Security, we strongly advice, that users should deeply exercise caution, and read more about a specific package before installing them. Especially with programming languages like python, that is managed as an open source project.
In addition, users are advised to regularly update and patch their systems, immediately they got a hint that an update is available. Alternatively users can mandate it as a task, to check for operating system updates, once a day. To read more code analysis about this malware, see Fortinet Blog.
Remember to always stay safe, and be vigilant 🛡️!
Put your comments below in the comment section on your thoughts about this.