Tuesday, June 25, 2024

Python Developers Beware! Russian Hackers Targeting You With Malicious Packages

A malicious Python package named “crytic-compilers” was identified on PyPI.

Masquerading as a legitimate library for intelligent contract compilation, it mimicked the name and versioning scheme of the real “crytic-compile” tool. 

The imposter package infiltrated popular development environments by appearing to offer desired functionality, as it harbored a hidden payload that stole cryptocurrency from infected systems. 

Although the package garnered 436 downloads before its takedown, which highlights the vulnerability of relying solely on open-source components without proper vetting. 

installing the real library ('crytic-compile') to avoid suspicion
installing the real library (‘crytic-compile’) to avoid suspicion

A counterfeit Python library, “crytic-compilers”, is designed to exploit developers by mimicking the legitimate “crytic-compile” library, which uses similar names and aligns version numbers (0.3.8 to 0.3.11) with appearing as a newer version. 

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

Some versions even attempt to install the actual library to deflect suspicion.

The malicious intent is revealed in version 0.3.11, which targets Windows systems and executes a hidden program (s.exe). 

The strategy leverages the popularity of “crytic-compile” (170,000 monthly downloads, 141 GitHub stars) to infiltrate unsuspecting projects in the cryptocurrency development community. 

 illicit component's 0.3.11 version
 illicit component’s 0.3.11 version

Lumma, a Russia-linked C2 trojan, targets Windows users by stealing crypto wallets and browser passwords. ]

The malware, disguised as an executable file (s.exe), uses anti-detection techniques to avoid being caught. 

It connects to a list of domains (IOCs) with active “/api” endpoints, most likely Lumma C2 servers, registered on Namecheap and secured by Cloudflare, making takedown attempts more challenging. 

According to SonaType, geo-blocking also prevents users from accessing these domains from restricted regions.   

Verification Captcha
Verification Captcha

Lumma Stealer, a C-based Windows trojan targeting cryptocurrency wallets and browser extensions, has been distributed through various channels since at least 2022. 

Primarily offered as Malware-as-a-Service on Russian dark web forums, Lumma has reappeared in trojanized apps, phishing emails, and pirated games with cheats. 

Most recently, drive-by downloads on compromised websites disguised as fake browser updates have been used to deliver Lumma stealers. 

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo


Latest articles

Hackers Exploit Multiple WordPress Plugins to Hack Websites & Create Rogue Admin Accounts

Wordfence Threat Intelligence team identified a significant security breach involving multiple WordPress plugins. The initial...

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles