Researchers have observed an increasing complexity in the scope of a malicious campaign, which has exposed hundreds of info-stealing packages to open-source platforms over the past half-year, with approximately 75,000 downloads being recorded.
Checkmarx's Supply Chain Security team has been monitoring the campaign since it started at the beginning of April. Analysts discovered 272 packages with code intended to steal confidential information from systems that have been targeted by this campaign.
There has been a significant evolution of the attack since it was first identified. The authors of the packages have started integrating increasingly sophisticated obfuscation layers and detection-evading techniques to attempt to prevent detection.
The concept of an info stealer has evolved from humble beginnings over time to become a powerful info stealer capable of stealing information associated with everyone.
Crypto and Data Theft
As the researchers point out, "the Python ecosystem started showing a pattern of behaviour in early April 2023." For example, the “_init_py” file was found to load only when it was confirmed that it was running on a target system rather than in a virtualized environment. This is the usual sign of a malware analysis host, according to the researchers.
This malware will check for the presence of an antivirus on the compromised endpoint, search for task lists, Wi-Fi passwords, system information, credentials, browsing history, cookies, and payment information saved in your browser as well as cryptocurrency data from wallet apps, Discord badges, phone numbers, email addresses, Minecraft data, and Roblox data. As you can see, the malware checks for these things as well. Additionally, it will also take screenshots of any data that is considered to be of importance and upload it directly.
Aside from that, the malware causes the compromised system to take screenshots and steal individual files such as those in the Desktop, Pictures, Documents, Music, Videos, and Downloads directories to spread to other systems.
In addition, the malware monitors constantly the victim's clipboard for cryptocurrency addresses, and it swaps the addresses with the attacker's address to divert the payment to wallets controlled by the attacker.
Approximately $100,000 worth of cryptocurrency is estimated to have been directly stolen by this campaign, according to the analysts.
An Analysis of The Attack's Evolution
There was no doubt that the malicious codes and files from this campaign were found in April packages, since the malicious code was plain text, as reported by the researchers.
The researchers also noticed that a multilayered anti-obfuscation had been added to two of the packages by the authors in May to hinder analysis of the packages.
However, in August, a researcher noted that many packages now have multi-layer encryption.
There are currently at least 70 layers of obfuscation used by two of the most recent packages tested by Checkmarx's researcher Yahuda Gelb, as noted in a separate report.
There was also an announcement that the malware developers planned to develop a feature that could disable antivirus software, added Telegram to the list of targeted applications, and introduced a fallback mechanism for data exfiltration during August.
There are still many risk factors associated with supply chain attacks, according to the researchers, and threat actors are uploading malicious packages to widely used repositories and version control systems daily, such as GitHub, or package repositories such as PyPi and NPM, as well as to widely used package repositories such as GitHub.
To protect their privacy, users should carefully scrutinize their trustworthiness as well as be vigilant against typosquatting package names in projects and packages that they trust.
