The libraries were discovered by software supply chain security firm Phylum, which said the ongoing activity is a continuation of a campaign that was first made public in November 2022.
In an initial finding, it was discovered that popular packages including beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow were being mimicked via typosquatting.
For each of the aforementioned, the threat actors deploy between 13 and 38 typosquatting variations in an effort to account for a wide variety of potential mistypes that could lead to the download of the malicious package.
In order to evade detection, the malicious actors deployed a new obfuscation tactic that was not being utilized in the November 2022 wave. Instead, they are now using a random 16-bit combination of Chinese ideographs for function and variable identifiers.
Researchers at Phylum emphasized that the code makes use of the built-in Python functions and a series of arithmetic operations for the string generation system. This way, even if the obfuscation produces a visually striking outcome, it is not extremely difficult to unravel.
"While this obfuscation is interesting and builds up extremely complex and highly obfuscated looking code, from a dynamic standpoint, this is trivial[…]Python is an interpreted language, and the code must run. We simply have to evaluate these instances, and it reveals exactly what the code is doing,” reads a Phylum report.
For taking control of the cryptocurrency transactions, the malicious PyPi packages create a malicious Chromium browser extension in the ‘%AppData%\Extension’ folder, similar to the November 2022 attacks.
It then looks for Windows shortcuts pertaining to Google Chrome, Microsoft Edge, Brave, and Opera, followed by hijacking them to load the malevolent browser extension using the '--load-extension' command line argument.
For example, a Google Chrome shortcut would be hijacked to "C:\Program Files\Google\Chrome\Application\chrome.exe --load-extension=%AppData%\\Extension".
After the web browser is launched, the extension will load, and malicious JavaScript will monitor for cryptocurrency addresses copied to the Windows clipboard. When a crypto address is found, the browser extension will swap it out for a list of addresses that are hardcoded and under the control of the threat actor. By doing this, any sent cryptocurrency transaction funds will be sent to the wallet of the threat actor rather than the intended receiver.
By including cryptocurrency addresses for Bitcoin, Ethereum, TRON, Binance Chain, Litecoin, Ripple, Dash, Bitcoin Cash, and Cosmos in this new campaign, the threat actor has increased the number of wallets that are supported.
These findings illustrate the ever-emerging threats that developers face from supply chain attacks, with threat actors inclining to methods like typosquatting to scam users into installing fraudulent packages.
There's no end to the cookie pop-up trouble. Wherever you go on the web, the user screen is hijacked by huge billboard-sized pop-ups that request if it's okay for the site to track us online. Our reply is always a confident "NO."
Still, you have to click the "decline" button every time, and most of the time, it's layered under complicated jargon. Fortunately, there is a browser extension on every platform to restrict and block cookie consent on pop-ups without you having to manually do it.
The simplest way to get rid of irritating cookie prompts is to automate your response to the consent pop-up. On the computer and phone, you can install third-party extensions and applications that automatically hint sites to acknowledge our right to privacy whenever we come across a data collection pop-up on the web. Here's how you can do that.
If you're using Google Chrome, Safari, Firefox, or any other Chromium-based browser like Brave and Microsoft Edge, our best bet against cookie pop-ups is an extension named "Consent-O-Matic."
Many pop-up blocker extensions just prevent the website from displaying a cookie prompt. It can disfigure a page's content and despite clear instructions from GDPR that need clear permission, websites continue to trace the user as they wish when they fail to communicate their consent response. Consent-O-Matic makes sure the website knows we are not OK with any form of tracking.
What makes "Consent-O-Matic" different from the diverse alternatives is how they manage cookie consent prompts. The right-to-privacy pop-ups ask us to select what type of information we don't want to share.
There are various toggles to know if the website can track our clicks, the type of ads we see or interact with, the personal data we voluntarily entered, cookies, etc. And unless we switch off these personally, the sites may still track you even when you disable the decline button.
Consent-O-Matic saves the user trouble of going through all of these. It automatically toggles off all the data collection actions, along with cookies, in a "right to privacy" pop-up.
Another good thing about Consent-O-Matic is that it's open-source and made by experts at Aarhus University in Denmark. It means that it doesn't have any ill motives to track a user and secretly record user data.
A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files.
Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence.
"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.
Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.
The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done.
To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute.
• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.
• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities.
• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets.
Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab."
Google Chrome has blocked HTTPS, FTP, and HTTP access to TCP (transmission control protocol) port 10080 to protect ports getting exploited from NAT Slipstreaming 2.0 attacks. In 2020, cybersecurity expert Samy Kamkar revealed a new variant of the NAT Slipstreaming vulnerability that lets scripts on illicit websites avoid a user's NAT firewall and hack into any UDP/TCP port on the target's internal network. By exploiting these vulnerabilities, hackers can deploy a variety of attacks, these include modification of router configurations and hacking into private network services.
Luan Herrera, a cybersecurity expert committed to vulnerability reporting, detailed another approach to performing a side-channel assault variant known as XS-Leak abusing redirect hops to trigger a cross-site leak condition. Herrera's research centers around the XS-Leaks group of side-channel assaults, equipped for abusing a browser to extricate conceivably sensitive data into the exposed system, including administrator credentials. XS-Leak assault strategies depend on measuring network reaction time to gather information about site visitors by abusing communication channels that permit sites to communicate with one another to recreate a client's or system's profile.