A threat actor has been conducting a persistent and targeted campaign since early April to infiltrate the software supply chain by distributing malicious Python packages. These packages, aimed at stealing sensitive data and cryptocurrency from Windows systems, have already been downloaded nearly 75,000 times, according to researchers from Checkmarx.
The malicious packages are delivered via various usernames on GitHub and have been found to collect a wide range of information from the target systems. This includes data from the system itself, various applications and browsers, as well as personal information from the users. Additionally, the threat actor has implemented a monetization aspect by modifying cryptocurrency addresses to redirect transactions to their own account.
“The sheer volume and persistence of these deployments hinted at an attacker with a well-crafted agenda,” said Yehuda Gelb, a security researcher at Checkmarx. The attacker has also demonstrated a consistent evolution in the sophistication of the malicious packages, utilizing encryption and multilayered obfuscation techniques to avoid detection.
The attack follows a multiphase sequence, with each phase building on the previous one. In the initial phase, the plaintext packages would surreptitiously integrate themselves into unsuspecting systems while laying the groundwork for their malicious activities. They would then collect sensitive data, including usernames, passwords, history, cookies, and payment information from various browsers and applications, packaging them into ZIP files before extracting.
During this phase, the packages also searched for valuable files in the user’s directories and uploaded them to a remote server. They stole additional information from platforms such as Discord, Minecraft, and Roblox and captured screenshots to track user activity in real time.
The theft of cryptocurrency was a prominent feature of the initial phase. The packages tracked the user’s clipboard to replace cryptocurrency addresses with the attacker’s own, redirecting funds to specific collection points. They also tampered with applications like Exodus, a crypto wallet management app, to enable unrestricted data exfiltration.
As the campaign continued, the attacker introduced encryption to the plaintext packages, making them harder to detect. However, their behavior remained essentially the same. The most recent packages have added layers of obfuscation to their code, hiding secondary payloads fetched from an external source. These packages have also expanded their data collection and exfiltration capabilities and included evasion tactics to prevent antivirus software detection.
The researchers discovered that the latest packages can steal data from Telegram, including cryptocurrency wallets, system information, antivirus information, task lists, Wi-Fi passwords, and specific files from directories like Desktop, Pictures, Documents, Music, Videos, and Downloads.
The incident highlights the growing trend of threat actors leveraging open source packages to target the software supply chain and reach a large number of potential victims with minimal effort. Python, due to its widespread use in software development, has become a popular target for attackers. Malicious actors have even gone so far as to poison entire projects based on the programming language.
This ongoing threat requires organizations to maintain constant vigilance and adaptability to effectively protect against it, according to Gelb. Security professionals should share open source threat intelligence, while developers must exercise caution when downloading packages from untrusted sources.
Given the relentless and evolving nature of this Python campaign, it is crucial for the cybersecurity community to work together to identify and mitigate such threats. The detection and prevention of these malicious packages will play a crucial role in securing the software supply chain and protecting organizations and users from potential data breaches and financial losses.