Search This Blog

Showing posts with label Info Stealer. Show all posts

Info Stealer Identified in a PyPI Package

 

GitHub user duxinglin1 has identified three PyPI packages 'keep,' 'pyanxdns,' and 'api-res-py' using a malicious dependency, 'request,' 

Last month, duxinglin1 uncovered the vulnerable versions containing the misspelled 'request' dependency, rather than the authentic 'requests' library. CVEs assigned to the susceptible versions include: 

• CVE-2022-30877 - 'keep' version 1.2 contains the backdoor 'request', 
• CVE-2022-30882 - 'pyanxdns' version 0.2 impacted 
• CVE-2022-31313 - 'api-res-py' version 0.1 impacted 

According to duxinglin1, the risk with the ‘Keep’ package is pretty high as it particularly receives over 8,000 downloads per week on average, while it is quite opposite with 'pyanxdns' and 'api-res-py' as they are small-scale projects. 

Two years back in 2020, Tencent Onion Anti-Intrusion System unearthed a malicious typosquat 'request' uploaded to the PyPI registry which copied the requests HTTP library but surprisingly dropped malicious info-stealers. 

"We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by PyPI, many mirror sites did not completely delete this package, so it could still be installed,” duxinglin1 explained. The malicious backdoor inside the counterfeit 'request' includes a base64-encoded URL to the 'check.so'. 

The file 'check.so' is loaded with a Remote Access Trojan (RAT), while 'x.pyx' contains data theft malware that exfiltrates cookies and private data from web browsers like Chrome, Firefox, Yandex, Brave, and others. Subsequently, the hackers with access to user credentials attempt to exploit other accounts employed by the developer, potentially leading to additional supply-chain attacks. 

When Bleeping Computer contacted the developers of each of these packages to identify whether this was due to a simple typographical error, or hijacking of maintainer accounts. The author of 'pyanxdns', Marky Egebäck, confirmed this was a result of a typographical error rather than an account compromise. 

Additionally, it appears that the developers of the other two packages also introduced 'request' rather than the legitimate 'requests' due to an innocent typing error. 

"Sorry to say by a simple typo in the setup.py file since git history shows that this was added when the install requires was added by me. This was [an] honest mistake based on a typo in the setup.py. I generally don’t publish things on PyPI but I made this quickly for a friend and myself. Not sure if he has promoted this but the purpose was mainly for personal use in [an] internal docker project," stated Egebäck.

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 

 

Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

Researchers Warn of Fake Windows 11 Upgrade Containing Info Stealing Malware

 

Cybercriminals are tricking users into installing a fake Windows 11 upgrade that includes malware that steals data from web browsers and crypto-wallets. The malicious campaign that is still running operates by poisoning search results to drive traffic to a website impersonating Microsoft’s Windows 11 advertising page and offering the information stealer. 

According to CloudSEK threat researchers who analyzed the malware and published a technical report, malicious actors are focusing on people who rush to install Windows 11 without first learning that the OS must satisfy specific requirements. 

The rogue website advertising the false Windows 11 has official Microsoft logos, favicons, and a “Download Now” button. It looks legitimate at first glance, but the URL reveals the site as fraudulent. If visitors access the malicious website directly (download is not possible via TOR or VPN), they will receive an ISO file containing the executable for new information-stealing malware. 

The CloudSEK researchers named the new malware 'Inno Stealer' as it uses the Inno Setup Windows Installer. The researchers said that Inno Stealer has no code in common with other presently circulating info-stealers. Once active, the malware plants a pair of files that disable various Windows security measures, including those in the registry. They also wipe out software from anti-virus companies Emsisoft and ESET. 

Inno Stealer’s capabilities are typical for this kind of malware, including the ability to collect web browser cookies and passwords, data from cryptocurrency wallets, and data from the disk. The set of targeted browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo. 

The malware can also steal extra payloads, an action only performed at night, potentially to take advantage of the victim’s absence from the computer. These additional Delphi payloads, which are TXT files, use the same Inno-based loader that fiddles with the host’s security tools and employs an identical persistence methodology. They also have the ability to grab clipboard data and exfiltrate directory enumeration data. 

To mitigate the risks, researchers recommended avoiding downloading ISO files from obscure sources and instead undertaking significant OS updates using the Windows 10 control panel or obtaining the installation files directly from the source. If you can’t upgrade to Windows 11, there’s no point in attempting to bypass the limitations manually since this will come with a slew of drawbacks and severe security risks.

Malspam Campaign Spreads Novel META Info-stealer

 

The new META malware, a unique info-stealer malware that appears to be gaining popularity among hackers, has been discovered in a malspam campaign. 

META, along with Mars Stealer and BlackGuard, is one of the latest info-stealers whose administrators aim to profit from Raccoon Stealer's absence from the market, which has left many looking for a new platform.  META was initially reported on the Bleeping Computer last month when KELA experts cautioned of its quick entry into the TwoEasy botnet marketplace. The product is advertised as an upgraded version of RedLine and costs $125 per month for monthly users or $1,000 for unlimited lifetime use. 

META is currently being utilised in attacks, according to security researcher and ISC Handler Brad Duncan. It is being used to steal passwords stored in Chrome, Edge, and Firefox, as well as cryptocurrency wallets. The infection chain in this campaign uses the "standard" approach of sending a macro-laced Excel spreadsheet as an email attachment to potential victims' inboxes. The communications make fictitious financial transfer promises that aren't very persuasive or well-crafted, yet they can nonetheless be effective against a considerable percentage of recipients. 

A DocuSign bait is included in the spreadsheet files, urging the target to "allow content" in order to launch the malicious VBS macro in the background. The malicious script will download a variety of payloads, including DLLs and executables, when it runs. To avoid detection by the security software, some of the downloaded files are base64 encoded or have their bytes reversed. 

One of the samples Duncan collected, for example, has its bytes reversed in the original file. The full payload is eventually assembled on the machine under the name "qwveqwveqw.exe," which is most likely random, and a new registry entry for persistence is created. The EXE file generating activity to a command and control server at 193.106.191[.]162, even after the system reboots, is clear and persistent evidence of the infection, restarting the infection process on the affected machine. 

One thing to keep in mind is that META uses PowerShell to tell Windows Defender to exclude .exe files in order to protect its files from discovery.

Info Stealing BlackGuard Malware is Advertised for Sale on Russian Hacking Forums

 

A sophisticated information stealer dubbed BlackGuard is gaining the attention of the cybercrime community. The malware is advertised for sale on multiple Russian hacking forums with a lifetime price of $700 or a subscription of $200 per month. 

This low value and ease of access may permit a thrifty menace actor to loot hundreds of cryptocurrency wallets, financial institution accounts, and much with little to no work, researchers at Zscaler who spotted and analyzed the malware explained. 

The malware was first spotted on Russian-language hack forums in January 2022, but then it was distributed privately and was at the testing stage. As with all modern information-stealers, BlackGuard exfiltrates information from almost any application that processes sensitive user data, with a focus on crypto assets. In an infected system, BlackGuard looks for the following applications to steal user data from them: 
  • Web browsers: Passwords, cookies, autofill, and history from Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo. 
  • Wallet browser extensions: Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx 
  • Cryptocurrency wallets: AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi 
  •  Email: Outlook 
  •  Messengers: Telegram, Signal, Tox, Element, Pidgin, Discord 

The gathered information is bundled in a ZIP file, also known as logs, and is sent to the attackers’ C&C server via a POST request, along with a system profile report that assigns a unique identifier to the victim’s equipment.

In terms of bypassing BlackGuard’s capabilities are still under development, but some systems are already in place to avoid detection and analysis. First, the malware is packed with a crypter, and the code is obfuscated using base64. Finally, it will inspect the operating system’s processes and try to block any actions linked to antivirus software or sandboxing once it landed on a vulnerable workstation.

How to avoid the installation of malware? 

To mitigate the risks, you must avoid visiting shady websites and downloading files from untrustworthy or dubious sources. Furthermore, use two-factor authentication, keep your OS and applications updated, and use strong and unique passwords for all your online accounts. If you believe that your computer is already compromised, researchers recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.