Devs targeted by W4SP Stealer malware in malicious PyPi packages - BleepingComputer
2023-02-12 09:36 (EST)
Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
PyPI is a software repository for packages created in the Python programming language. As the index hosts 200,000 packages, it allows developers to find existing packages that satisfy various project requirements, saving time and effort.
Between January 27 and January 29, 2023, a threat actor uploaded five malicious packages containing the W4SP Stealer information-stealing malware to PyPi.
While the packages have since been removed, they have already been downloaded by hundreds of software developers. These five packages and their download stats are:
3m-promo-gen-api – 136 downloads Ai-Solver-gen – 132 downloads hypixel-coins – 116 downloads httpxrequesterv2 – 128 downloads httpxrequester – 134 downloads
The malicious packages uploaded onto PyPI (Fortinet)
The vast majority of these downloads occurred in the first couple of days following the initial upload of the packages, which incentivizes these malicious actors to try uploading the same code onto PyPI via new packages and through a new account when they get banned.
Hiding a password-stealer
Security researchers at Fortinet discovered the packages and found that when they are installed, they attempt to steal passwords saved in browsers, cookies, and cryptocurrency wallets.
While Fortinet did not identify the type of information-stealing malware, BleepingComputer identified the malware as W4SP Stealer, which has become heavily abused in packages on PyPI.
The malware first steals data from web browsers, such as Google Chrome, Opera, Brave Browser, Yandex Browser, and Microsoft Edge.
It then attempts to steal authentication cookies from Discord, Discord PTB, Discord Canary, and the LightCord client.
Finally, the malware will attempt to steal the Atomic Wallet and Exodus cryptocurrency wallets and cookies for The Nations Glory online game, as shown below.
The GatherAll function (Fortinet)
Additionally, the malware targets a list of websites, attempting to retrieve sensitive user information that would help its operator steal accounts.
List of sites targeted by the malware (Fortinet)
Some of the targeted sites include:
Coinbase.com
Gmail.com
YouTube.com
Instagram.com
PayPal.com
Telegram.com
Hotmail.com
Outlook.com
Aliexpress.com
ExpressVPN.com
eBay.com
Playstation.com
xbox.com
Netflix.com
Uber.com
After gathering all data it finds on the compromised machine, the malware uses its ‘upload’ function to upload the stolen data using a Discord webhook, which posts it to the threat actors server.
Discord webhooks allow users to send messages containing files to a Discord server and are commonly abused to steal files, Discord tokens, and other information.
Snippet of code of the upload function (Fortinet)
Fortinet also noticed the presence of functions that check files for specific keywords and, if found, attempt to steal them using the "transfer.sh" file transfer service. The keywords relate to banking, passwords, PayPal, cryptocurrency, and multi-factor authentication files.
Of particular interest is that some of the keywords are in French, indicating that the threat actor may be from France.
The complete list of keywords targeted for data theft is listed below:
Function that checks for specific keywords (Fortinet)
As package repositories, such as PyPi and NPM, are now commonly used to distribute malware, developers must analyze the code in packages before adding them to their projects.
If any obfuscated code or unusual behavior is present in the downloaded package, it should not be used and instead reported on the repository.
