W4SP Stealer Stings Python Developers in Supply Chain Attack

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://www.darkreading.com/threat-intelligence/w4sp-stealer-aims-to-sting-python-developers-in-supply-chain-attack
Attackers continue to create fake Python packages and use rudimentary obfuscation techniques in an attempt to infect developers' systems with the W4SP Stealer, a Trojan designed to steal cryptocurrency information, exfiltrate sensitive data, and collect credentials from developers' systems.

According to an advisory published this week by software supply chain firm Phylum, a threat actor has created 29 clones of popular software packages on Python Package Index (PyPI), giving them benign-sounding names or purposefully giving them names similar to legitimate packages, a practice known as typosquatting. If a developer downloads and loads the malicious packages, the setup script also installs — through a number of obfuscated steps — the W4SP Stealer Trojan. The packages have accounted for 5,700 downloads, researchers said.

While W4SP Stealer targets cryptocurrency wallets and financial accounts, the most significant objective of the current campaigns appears to be developer secrets, says Louis Lang, co-founder and CTO at Phylum.
Click to expand...
www.darkreading.com

W4SP Stealer Stings Python Developers in Supply Chain Attack

Threat actors continue to push malicious Python packages to the popular PyPI service, striking with typosquatting, authentic sounding file names, and hidden imports to fool developers and steal their information.
www.darkreading.com www.darkreading.com
 
  • Like
  • +Reputation
Reactions: Nevi, simmerskool, Stopspying and 5 others
upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers. Analysts at Checkmarx this week connected the same attacker to both reports and said the operator is still releasing malicious packages.

A Checkmarx report detailed hundreds of successful infections of the WASP info-stealer malware, and found a number of interesting features to ensure persistence in a compromised PC and to evade cybersecurity tools. "The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales," wrote Jossef Harush, Checkmarx's head of engineering, noting that the malware's developer claims WASP is undetectable.
Click to expand...
PyPI, an open source repository used by developers to share Python packages used in projects, is an increasingly popular target in software supply chain attacks for uploading malicious code via fake packages. The malicious packages are given names that sound legitimate or are similar to real packages, a technique called typosquatting. Developers are therefore fooled into using booby-trapped packages that appear to be useful and legit.

Check Point noted that such packages used for attacks on open source operations – not only PyPI but also others, like NPM – usually involve three steps: malicious code to download and run a virus, carrier code for sneaking the malicious code in, and luring victims – such as through typosquatting – to install the malicious package. The community behind PyPI in August warned about the first-known phishing attack against its users. The malicious package becomes an initial infection point if a developer loads it onto their system, with other malware following – in this case, the WASP (also referred to as W4SP) info-stealing trojan.
Click to expand...
www.theregister.com

WASP malware stings Python developers

Info-stealing trojan hides in malicious PyPI packages on GitHub
www.theregister.com www.theregister.com
 
  • Like
  • +Reputation
Reactions: vtqhtr413, silversurfer, Nevi and 1 other person
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls
Replies
0
Views
519
News Archive
silversurfer
silversurfer
upnorth
    • Wow
    • Like
    • +Reputation
US govt demands data on PyPI developers
Replies
1
Views
871
News Archive
Zero Knowledge
Z
silversurfer
    • Like
    • +Reputation
Banking Sector Targeted in Open-Source Software Supply Chain Attacks
Replies
0
Views
1,179
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top