Malicious Python packages uploaded by “dsfsdfds” to PyPI infiltrated user systems by exfiltrating sensitive data to a Telegram bot likely linked to Iraqi cybercriminals.
Active since 2022 and containing more than 90,000 Arabic messages, it has functioned as both a command-and-control center and an underground marketplace for social media manipulation tools.
It highlights a broader cybercriminal network, emphasizing the need for in-depth investigation and collaboration within cybersecurity communities.
A malicious script scans the victim’s file system, particularly the root directory and DCIM folder, targeting files with extensions like .py, .php, .zip, .png, .jpg, and .jpeg.
Once found, the script transmits both file paths and the actual data (files and photos) to the attacker’s Telegram bot without the user’s awareness. This is achieved through a hardcoded Telegram bot token and chat ID within the script, revealing the attacker’s infrastructure details.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Analysis of the exfiltrated data revealed hardcoded credentials for a Telegram bot used by the attackers.
Exploiting these credentials, researchers gained direct access to the bot and observed a significant activity history stretching back to at least 2022.
The messages, primarily in Arabic, provided clues about the bot operator’s location and operations. By analyzing message language and content with tools like GitHub’s TeleTracker, researchers identified the operator as likely being based in Iraq.
The bot’s activity suggested it was part of a network of bots controlled by the same actor.
Initially, the bot functioned as an underground marketplace, offering various illicit services, which included purchasing social media engagement metrics like views and followers, spam services, and discounted subscriptions to streaming platforms like Netflix.
An investigation into a malicious Python package revealed a hidden Telegram bot, while further analysis of the bot’s message history uncovered evidence of a broader cybercriminal operation.
The messages hinted at financial theft and appeared to originate from compromised systems, suggesting the packages were a successful initial attack vector and highlighting the need for a deep investigation into cybersecurity.
In reality, the malicious packages that appeared to be isolated did in fact serve as the entry point to a more complex criminal network that was based on Telegram.
Researchers at Checkmarx uncovered malicious Python packages on PyPI that exfiltrated user data to a Telegram bot. This exposed a larger Iraqi cybercriminal network and highlighted the dangers of a compromised developer machine.
In an enterprise setting, such a breach could provide attackers with an initial foothold to launch further attacks within the organization’s network.
Avoid these four Python packages: testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers, as they are identified as malicious by exploiting the PyPI repository to install them on unsuspecting systems.
Once installed, they scrape the files, including potentially sensitive ones like Python scripts, images, and compressed archives, and the stolen data is then sent to a Telegram bot controlled by cybercriminals, which exposes the system to a variety of threats, depending on the criminals’ goals, which could include financial fraud or further system compromise.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated learning…
Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target e-commerce…
wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By manipulating…
Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation platform.…
A critical vulnerability has been discovered in Salesforce applications that could potentially allow a full…
A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of their…