Checkmarx cybersecurity researchers discovered more than two dozen malicious packages on PyPI, a popular repository for Python developers, and published their findings in a new report (opens in a new tab).
These malicious packages, designed to look almost like legitimate packages, attempt to trick unsuspecting developers into downloading and installing the wrong one, thereby distributing malware.
This practice is known as typosquatting and is very popular among cybercriminals who target software developers.
infostealer heists
To hide malware, attackers use two unique approaches: steganography and polymorphism.
Steganography is the practice of hiding code within an image, allowing hackers to spread malicious code via seemingly innocent .JPG and .PNG files.
Polymorphic malware, on the other hand, changes the payload with each installation, successfully evading antivirus programs and other cybersecurity solutions.
Here, the attackers used these techniques to provide WASP, an information stealer capable of taking over Discord accounts, passwords, cryptocurrency wallet information, credit card data, as well as any other information on the victim's terminal that was consider interesting.
Once identified, the data is returned to attackers via a hard-coded Discord webhook address.
The campaign appears to be a marketing gimmick, as researchers have apparently caught threat actors advertising the tool on the dark web for €20 and claiming it is undetectable.
In addition, the researchers believe this is the same group that was behind a similar attack first reported earlier this month by researchers at Phylum (opens in a new tab) and Check Point (opens in a new tab). ). At the time, a group called Worok was said to have been distributing DropBoxControl, a custom .NET C# information stealer that abuses Dropbox file hosting for communication and data theft, since at least September 2022.
Given his toolbox, researchers believe that Worok is the work of a cyber espionage group that works quietly, likes to move laterally on target networks and steal sensitive data. It also appears to use its own proprietary tools, as the researchers have not observed anyone else using them.
Via: The Registry (Opens in a new tab)