Researchers from cybersecurity firm Checkmarx have uncovered a malware campaign in which attackers targeted the crypto wallets and personal data of victims in the Python community.
The criminals first gained the trust of the Python Package Index (PyPI) community members before distributing their malware, the company reported. The campaign began on June 25 with references on the StackExchange Q&A platform to seemingly ‘benign’ Python packages. These had common-sounding names like ‘spl-types’ in an attempt to sound trustworthy.
Malicious versions popping up
The bad actors also increased their credibility by providing helpful answers to users’ questions. However, it only took a couple of days before malicious versions of these packages began popping up. In these, malware was hidden in the ‘init.py’ file.
The malware executed itself immediately after installation. It targeted users’ crypto wallets and sensitive data. The malware also contained a backdoor, giving the attackers long-term remote access to compromised systems.
Sensitive data pilfered
The attackers primarily targeted owners of the Raydium and Solana cryptocurrencies. The malware also pilfered a host of sensitive data, such as passwords, credit card information, browser history, GitHub recovery codes, and BitLocker keys.
Even messaging apps like Telegram, Signal and Session were not safe. When the malware nestled here, it searched for keywords related to crypto and other sensitive info and even took screenshots. The stolen data was compressed and exfiltrated to the attackers’ command and control center via Telegram bots.
Lately, there has been an increasing focus on hackers playing the long game, working long hours to establish trust. The creators of the backdoor in the xz compression tool for Linux that came to light earlier this year, did not just use sophisticated techniques to remain undetected. Building goodwill and probing the intended victim for psychological weaknesses was one of the most striking features of the criminal modus operandi in that case.
Read also: Makers of infamous xz backdoor cleverly managed to cover their tracks, analysis shows