Friday, May 24, 2024

Beware Of New Malicious PyPI Packages That Steal Wallet Passwords

Threat actors use malicious PyPI packages to infiltrate systems and execute various attacks like data exfiltration, ransomware deployment, or system compromise. 

By masquerading as legitimate Python libraries all these packages can easily bypass security measures. 

This allows it to infect the unsuspecting users’ environments and potentially cause widespread damage.

Cybersecurity researchers at ReversingLabs recently discovered new malicious PyPI packages that could steal crypto wallet passwords.

New Malicious PyPI Packages

ReversingLabs unveiled a malicious scheme spanning seven open-source packages on PyPI, with 19 variants, the earliest dating back to December 2022. 

This ‘BIPClip’ campaign aims to steal helpful phrases for crypto wallet recovery by joining the ranks of previous supply chain attacks like 3CX’s compromise

Cryptocurrency remains a coveted target, and threat actors employ deceptive tactics like malicious dependencies and name-squatting to evade detection.

The RL research team found 7 new malicious PyPI packages aiming to steal crypto wallet phrases while staying hidden.

This campaign targets developers handling cryptocurrency wallets, especially those using BIP39 for easy-to-remember wallet generation. BIP39 simplifies seed creation with mnemonic phrases, enhancing recall for wallet owners.

Crypto infrastructure and assets remain prime targets for supply chain strikes, from the Ledger Connect Kit breach diverting transactions to covert cryptominers in Python libraries and malicious crypto-related npm packages.

Allegedly, the North Korean threat actors have stolen up to $3 billion in crypto over five years; it’s a staggering 5% of their GDP.

ReversingLabs found two PyPI packages, mnemonic_to_address, and bip39_mnemonic_decrypt, collaborating to steal crypto wallet data. 

The bip39_mnemonic_decrypt raised suspicion with Base64 decoding and network usage. Besides this further investigation revealed mnemonic_to_address as a seemingly “clean” package with bip39_mnemonic_decrypt as a hidden malicious dependency.

Code example from eth-account documentation for generating an account from a mnemonic (Source – ReversingLabs)

The mnemonic_to_address package acts as a wrapper for function calls. However, it differs subtly by using decrypt_jsBIP39 which is a function that is not found in the eth-account package.

This function is imported from the bip39_mnemonic_decrypt module, where the mnemonic_to_address package passes the user’s mnemonic passphrase as an argument.

Code from mnemonic_to_address package calls the function from the malicious bip39_mnemonic_decrypt package (Source – ReversingLabs)

The bip39_mnemonic_decrypt package is the second in the campaign and is a dependency of mnemonic_to_address. 

ReversingLabs discovered clearly malicious functionality within it. Both packages were published by james_pycode, a newly created PyPI maintainer account, a common tactic in malicious campaigns. 

The account showed minimal effort to establish credibility. Sophisticated attackers often invest resources to mimic official pages in open-source repositories.

Threat actors stealthily hide malicious code in open-source packages. They concealed malware deep within dependencies to avoid detection during code audits. 

Fraudulent function names like “decrypt_jsBIP39” and “cli_keccak256” disguised malicious actions. The malware stealthily exfiltrated crypto wallet seeds, encoding them as “license” data. 

Though limited in scope, this supply chain attack exploited developers’ trust in open-source libraries. Vigilance in vetting third-party code and security assessments is crucial to prevent such threats from targeting the lucrative crypto ecosystem.

IOCs

IoC (Source – ReversingLabs)

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles