Checkmarx cybersecurity researchers discovered over two dozen malicious packages on PyPI, a popular repository for Python developers, and published their findings in a new report (opens in new tab).
These malicious packages, which are designed to look almost identical to legitimate ones, attempt to dupe inexperienced developers into downloading and installing the wrong one, thereby spreading malware. The practice is known as typosquatting, and it is widely used by cybercriminals who target software developers.
The attackers use two distinct methods to conceal the malware: steganography and polymorphism. Steganography is the practice of concealing code within an image, allowing threat actors to spread malicious code via seemingly innocent.JPGs and.PNGs. Polymorphic malware, on the other hand, changes the payload with each installation, allowing it to avoid detection by antivirus software and other cybersecurity solutions.
These techniques were used by the attackers to deliver WASP, an infostealer capable of stealing people's Discord accounts, passwords, cryptocurrency wallet information, credit card data, and any other information on the victim's endpoint that the attacker deems interesting.
When the data is identified, it is returned to the attackers via a hard-coded Discord webhook address. The campaign appears to be a marketing ploy, as researchers discovered threat actors advertising the tool on the dark web for $20 and claiming that it is undetectable.
Furthermore, the researchers believe this is the same group that was behind a similar attack reported earlier this month by Phylum(opens in new tab) and Check Point researchers (opens in new tab). It was previously stated that a group known as Worok had been distributing DropBoxControl, a custom.NET C# infostealer that uses Dropbox file hosting for communication and data theft, since at least September 2022.
Worok, based on its toolkit, is thought to be the work of a cyberespionage group that operates quietly, moves laterally across target networks, and steals sensitive data. It also appears to be using its own, proprietary tools, as no one else has been observed using them.
