Rewterz Threat Alert – PyPI Repository Targets Windows and Linux Systems with 116 Malware Packages – Active IOCs

Severity

High

Analysis Summary

A set of 116 malicious packages has been discovered on the Python Package Index (PyPI) repository specially made to compromise Windows and Linux devices using a custom backdoor. It is estimated that these packages have been downloaded more than 10,000 times since May 2023.

The cybercriminals behind this malicious activity have been seen utilizing three different techniques to bundle the code into Python packages, such as using a test.py script, incorporating it in an encrypted form in the __init__.py file, and embedding PowerShell in the setup.py file. The final payload is sometimes a variant of W4SP Stealer or a clipper tool to steal cryptocurrency.

No matter the method used, the final goal is to infect the targeted device with malware, which is mostly a backdoor capable of executing commands remotely, taking screenshots, and exfiltrating data. The backdoor is implemented in Python for Windows and in Go for Linux.

Security researchers stated in a report, “Since anyone can contribute to the repository, malware – sometimes posing as legitimate, popular code libraries – can appear there. We found 116 files (source distributions and wheels) from 53 projects containing malware.”

Lately, a wave of infected Python packages that the threat actors have released is meant to spread into the open-source ecosystem to poison it and distribute a mixture of malware to target the supply chain in cyberattacks. In May 2023, researchers discovered another cluster of libraries made to spread Sordeal Stealer. Last month, malicious packages were pretending to be innocent obfuscation tools to deploy a stealer malware called BlazeStealer.

It is recommended for Python developers to properly evaluate the code that they download and check for these techniques before installing it into their computer. The disclosure follows up on the discovery of npm packages that target a financial institution with an encrypted payload containing an embedded binary used to steal user credentials.

Impact

• Sensitive Data Theft
• Cryptocurrency Theft
• Financial Loss

Indicators of Compromise

MD5

• 69550702d5e826984eac834cf6963af8
• 686f6d2fb8dd540052f2c698e8aff662

SHA-256

• d1f7bc8e97e5621bea311692e930208edc63aa6f07a514feee3afe4373ac5559
• 104a5192cf032cee44b732d33458a27909cef45d7391e092b9c13acd5779bb39

SHA-1

• b0c8d6beee80813c8181f3038e42adacc3848e68
• ef59c159d3fd668c3963e5ade3c726b8771e6f54

URL

• blazywound.ignorelist.com

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly review the dependencies of your open-source projects and consider using package-lock files or version pinning to ensure that you’re using trusted and verified packages.
• Use automated security scanning tools to analyze dependencies for known vulnerabilities or suspicious code.
• Provide training to developers and team members on secure coding practices, the risks of third-party dependencies, and the importance of code reviews.
• Implement access control measures on your code repositories to restrict who can contribute or make changes to the codebase.
• Maintain regular backups of your critical data to ensure data recovery in case of a security incident.
• Use antivirus and intrusion detection systems to help identify and block malicious activity.
• Implement network segmentation to limit the spread of malware or malicious activities within your network.
• Enforce strong password management practices for your systems and accounts.
• Implement MFA wherever possible to add an extra layer of security.
• Properly evaluate the Python code that you download before installing it onto your system.