Another indication that perpetrators are always looking for novel methods to deceive users into obtaining harmful software has surfaced. It has been revealed that the question-and-answer (Q&A) forum called Stack Exchange has been exploited to lead unaware developers to fake Python bundles capable of depleting their digital currency wallets.
“Upon installation, this script would automatically run, setting off a series of actions intended to infiltrate and dominate the victim’s systems, while also siphoning their data and emptying their crypto wallets,” stated Checkmarx researchers Yehuda Gelb and Tzachi Zornstain in a analysis shared with The Hacker News.
The assault, initiated on June 25, 2024, pinpointed cryptocurrency users connected with Raydium and Solana. The catalog of deceitful packages uncovered during the operation is itemized below –
The bundles have collectively been procured 2,082 times. They are no longer accessible for download from the Python Package Index (PyPI) repository.
The malicious content concealed within the bundle acted as a comprehensive data exfiltration tool, capturing a broad array of data, such as web browser passwords, cookies, credit card specifics, digital currency wallets, and details linked to messaging services like Telegram, Signal, and Session.
It also integrated functions to take screenshots of the operating system and search for files containing GitHub recovery codes and BitLocker keys. The amassed data was then compressed and sent out to two distinct Telegram bots managed by the malefactor.
Separately, a covert access component embedded in the malware provided the attacker with uninterrupted remote entry to victims’ machines, enabling potential future breaches and prolonged infiltration.
The assault chain encompasses multiple steps, with the “raydium” package referencing “spl-types” as a requirement in an effort to mask the illegitimate actions and give users the impression of legitimacy.
An interesting facet of the operation is the utilization of Stack Exchange as a vector to escalate acceptance by posting deceitfully helpful responses mentioning the concerned bundle to developer queries related to executing swap transactions in Raydium via Python.
“By selecting a discussion with high visibility- gathering thousands of views- the attacker expanded their potential audience,” mentioned the researchers, indicating it was executed to “add credibility to this package and ensure its broad acceptance.”
Although the response is no longer present on Stack Exchange, The Hacker News stumbled upon mentions of “raydium” in another unresolved query posted on the Q&A site dated July 9, 2024: “I have been grappling for nights to set up a swap on solana network utilizing python 3.10.2 installed Solana, solderers, and Raydium but I am unable to make it work,” a user commented.
Mentions of “raydium-sdk” have also appeared in a post titled “How to Buy and Sell Tokens on Raydium using Python: A Step-by-Step Solana Guide” shared by an individual named SolanaScribe on the social publishing platform Medium on June 29, 2024.
It’s presently uncertain when the packages were eradicated from PyPI, as two other users have made inquiries on the Medium post seeking guidance from the author on installing “raydium-sdk” as recently as six days ago. Checkmarx informed The Hacker News that the post is not linked to the culprit.
This isn’t the inaugural time malevolent operators have resorted to such a distribution method. In the past May, Sonatype disclosed how a package titled pytoileur was marketed via an alternate Q&A service named Stack Overflow to aid in cryptocurrency thievery.
If anything, this development serves as proof that attackers are exploiting the trust in these community-driven platforms to disseminate malware, culminating in widespread supply chain breaches.
“A single compromised developer can inadvertently introduce vulnerabilities into an entire company’s software ecosystem, potentially affecting the entire corporate network,” noted the researchers. “This assault acts as a caution for both individuals and entities to reconsider their security strategies.”
The update arrives as Fortinet FortiGuard Labs described a malicious PyPI bundle dubbed zlibxjson that contained functionalities to pilfer sensitive information like Discord tokens, cookies stored in Google Chrome, Mozilla Firefox, Brave, and Opera, and saved passwords from the browsers. The package amassed a total of 602 downloads before its removal from PyPI.
“These actions can result in illegitimate access to user accounts and the removal of personal data, unmistakably classifying the software as malevolent,” stated security researcher Jenna Wang expressed.
About Author
