Cybersecurity researchers from Checkmarx detected more than two dozen malicious packages in PyPI, a popular repository for Python developers, and published their findings in a new report (opens in a new tab).
These malicious packages, designed to look almost identical to legitimate ones, attempt to trick reckless developers into downloading and installing the wrong one, thereby distributing malware.
This practice is known as typosquatting and is quite popular among cybercriminals targeting software developers.
Information theft
To disguise malware, attackers use two unique approaches: steganography and polymorphism.
Steganography is the practice of hiding code inside an image that allows cybercriminals to distribute malicious code using seemingly innocent .JPG and .PNG files.
Polymorphic malware, on the other hand, changes its payload with each installation, thus effectively evading antivirus and other cybersecurity solutions.
Here, the attackers used these techniques to deliver WASP, an information theft tool capable of intercepting Discord accounts, passwords, cryptocurrency wallet information, credit card details, as well as any other information on the victim’s endpoint they find interesting.
Once identified, the data is sent back to the attackers via a hard-coded Discord webhook address.
The campaign appears to be a marketing ploy as researchers apparently spotted cybercriminals advertising the tool on the dark web for $20 and claiming it was undetectable.
Furthermore, researchers believe this is the same group behind a similar attack that was first reported earlier this month by researchers at cluster (opens in a new tab) and Control point (opens in a new tab). At the time, a group called Worok was said to have been distributing DropBoxControl, a custom .NET C# information theft program that has been abusing Dropbox file hosting for communication and data theft since at least September 2022.
Given its toolkit, researchers believe that Worok is the work of a cyberespionage group that operates silently, likes to move across target networks and steal sensitive data. It also seems to use its own proprietary tools, as researchers have not observed them being used by anyone else.
By: Register (opens in a new tab)