Tuesday, December 3, 2024
HomecryptocurrencyBeware Of New Malicious PyPI Packages That Steal Wallet Passwords

Beware Of New Malicious PyPI Packages That Steal Wallet Passwords

Published on

SIEM as a Service

Threat actors use malicious PyPI packages to infiltrate systems and execute various attacks like data exfiltration, ransomware deployment, or system compromise. 

By masquerading as legitimate Python libraries all these packages can easily bypass security measures. 

This allows it to infect the unsuspecting users’ environments and potentially cause widespread damage.

- Advertisement - SIEM as a Service

Cybersecurity researchers at ReversingLabs recently discovered new malicious PyPI packages that could steal crypto wallet passwords.

New Malicious PyPI Packages

ReversingLabs unveiled a malicious scheme spanning seven open-source packages on PyPI, with 19 variants, the earliest dating back to December 2022. 

This ‘BIPClip’ campaign aims to steal helpful phrases for crypto wallet recovery by joining the ranks of previous supply chain attacks like 3CX’s compromise. 

Cryptocurrency remains a coveted target, and threat actors employ deceptive tactics like malicious dependencies and name-squatting to evade detection.

The RL research team found 7 new malicious PyPI packages aiming to steal crypto wallet phrases while staying hidden.

This campaign targets developers handling cryptocurrency wallets, especially those using BIP39 for easy-to-remember wallet generation. BIP39 simplifies seed creation with mnemonic phrases, enhancing recall for wallet owners.

Crypto infrastructure and assets remain prime targets for supply chain strikes, from the Ledger Connect Kit breach diverting transactions to covert cryptominers in Python libraries and malicious crypto-related npm packages.

Allegedly, the North Korean threat actors have stolen up to $3 billion in crypto over five years; it’s a staggering 5% of their GDP.

ReversingLabs found two PyPI packages, mnemonic_to_address, and bip39_mnemonic_decrypt, collaborating to steal crypto wallet data. 

The bip39_mnemonic_decrypt raised suspicion with Base64 decoding and network usage. Besides this further investigation revealed mnemonic_to_address as a seemingly “clean” package with bip39_mnemonic_decrypt as a hidden malicious dependency.

Code example from eth-account documentation for generating an account from a mnemonic (Source – ReversingLabs)

The mnemonic_to_address package acts as a wrapper for function calls. However, it differs subtly by using decrypt_jsBIP39 which is a function that is not found in the eth-account package.

This function is imported from the bip39_mnemonic_decrypt module, where the mnemonic_to_address package passes the user’s mnemonic passphrase as an argument.

Code from mnemonic_to_address package calls the function from the malicious bip39_mnemonic_decrypt package (Source – ReversingLabs)

The bip39_mnemonic_decrypt package is the second in the campaign and is a dependency of mnemonic_to_address. 

ReversingLabs discovered clearly malicious functionality within it. Both packages were published by james_pycode, a newly created PyPI maintainer account, a common tactic in malicious campaigns. 

The account showed minimal effort to establish credibility. Sophisticated attackers often invest resources to mimic official pages in open-source repositories.

Threat actors stealthily hide malicious code in open-source packages. They concealed malware deep within dependencies to avoid detection during code audits. 

Fraudulent function names like “decrypt_jsBIP39” and “cli_keccak256” disguised malicious actions. The malware stealthily exfiltrated crypto wallet seeds, encoding them as “license” data. 

Though limited in scope, this supply chain attack exploited developers’ trust in open-source libraries. Vigilance in vetting third-party code and security assessments is crucial to prevent such threats from targeting the lucrative crypto ecosystem.

IOCs

IoC (Source – ReversingLabs)

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...

Beware Of Malicious PyPI Packages That Inject infostealer Malware

Recent research uncovered a novel crypto-jacking attack targeting the Python Package Index (PyPI), where...