Wednesday, December 6, 2023

Hackers Deploy New Information Stealer Malware onto Python Developers’ Machines

Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developers’ machines in order to steal their information.

As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP. 

Attack Chain to Deploy Malware

A stealer in this case dropped directly into the main.py file rather than obfuscating the code or being obvious about the attempts to escape detection.

Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attacker’s intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the klgrth.io website, using a simple first stage to get it.

There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, it’s an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.

Malicious Packages

Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-

  • modulesecurity – “Celestial Stealer”
  • informmodule – “Leaf $tealer”
  • chazz – first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
  • randomtime – “ANGEL stealer”
  • proxygeneratorbil – “@skid STEALER”
  • easycordey – “@skid Stealer”
  • easycordeyy – “@skid Stealer”
  • tomproxies – “@skid STEALER”
  • sys-ej – “Hyperion Obfuscated code”
  • infosys – “@734 Stealer”
  • sysuptoer – “BulkFA Stealer”
  • nowsys – “ANGEL Stealer”
  • upamonkws – “PURE Stealer”
  • captchaboy – “@skid STEALER”
  • proxybooster – “Fade Stealer”

W4SP Copies

W4SP’s original publication in loTus’s repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.

It has been Phylum’s mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.

It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.

It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.

  • Satan Stealer
  • angel-stealer

There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop. 

W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.

There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.

Managed DDoS Attack Protection for Applications – Download Free Guide

Website

Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles