Malware News Cybercriminals pose as "helpful" Stack Overflow users to push malware

nicolaasjan

nicolaasjan

Level 4
Thread author
Verified
Well-known
May 29, 2023
180
Content source
https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-helpful-stack-overflow-users-to-push-malware/
Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware—answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware.
Sonatype researcher Ax Sharma (and a writer at BleepingComputer) discovered this new PyPi package is part of a previously known 'Cool package' campaign, named after a string in the package's metadata, that targeted Windows users last year.
This PyPi package is named 'pytoileur' and was uploaded by threat actors to the PyPi repository over the weekend, claiming it was an API management tool. Notice how the package has the "Cool package" string in the Summary metadata field, indicating it is part of this ongoing campaign.

Malicious packages like this are usually promoted using names similar to other popular packages, a process called typo-squatting.
However, with this package, the threat actors took a more novel approach by answering questions on Stack Overflow and promoting the package as a solution.
Click to expand...

This executable is actually a Python program converted into an .exe that acts as an information-stealing malware to harvest cookies, passwords, browser history, credit cards, and other data from web browsers.
It also appears to search through documents for specific phrases and, if found, steal the data as well.
All of this information is then sent back to the attacker, who can sell it on dark web markets or use it to breach further accounts owned by the victim.
Click to expand...

At the moment the malicious package is still available on PyPi...
 
  • Hundred Points
  • +Reputation
Reactions: Gandalf_The_Grey and silversurfer
nicolaasjan

nicolaasjan

Level 4
Thread author
Verified
Well-known
May 29, 2023
180
Package is now gone.:)

https://pypi.org/project/pytoileur/

Error code 404

I managed to download it from pypi.org before it was taken down.
Here is the VirusTotal report of the downloaded 23.17MB executable (URL retrieved from the Base64 encoded part of setup.py in the Python package).
 
Last edited:
  • Like
Reactions: Allego

Similar threads

[correlate]
    • Like
    • Thanks
Malware News 116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems
Replies
0
Views
993
Security News
[correlate]
[correlate]
vtqhtr413
    • +Reputation
    • Like
Fake VMware vConnector package on PyPI targets IT pros
Replies
2
Views
1,589
News Archive
[correlate]
[correlate]
CyberTech
    • +Reputation
    • Like
Malicious NuGet packages abuse MSBuild to install malware
Replies
0
Views
547
News Archive
CyberTech
CyberTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top