Attackers published another round of malicious packages on the Python Package Index (PyPI) with the goal of delivering information-stealing malware to compromised developer machines.
Interestingly, the malware goes by many names, including ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, but cybersecurity firm Phylum claims they are all W4SP. Discovered to be a copy of Stealer.
W4SP Stealer primarily works by siphoning user data including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. It is created and published by actors working under the aliases BillyV3, BillyTheGoat, and billythegoat356.
“For some reason, it seems each deployment simply tried to find/replace W4SP references in exchange for other seemingly arbitrary names,” the researchers said. Said In a report released earlier this week.
The 16 malicious modules are modulesecurity, informmodule, chazz, randomtime, proxygeneratorbil, easycordey, easycordeyy, tomproxies, sys-ej, py4sync, infosys, sysuptoer, nowsys, upamonkws, captchaboy, proxybooster.
The campaign distributing the W4SP Stealer gained momentum around October 2022, but indicates it may have started as far back as August 25, 2022. W4SP Stealer Published on PyPI by a persistent attacker.
The latest iteration of this activity, for what it’s worth, utilizes the package klgrth.[.]iopaste service.
It’s worth noting that previous versions of the attack chain have also been seen fetching the next-stage Python code directly from public GitHub repositories and dropping credential stealers.
The proliferation of new copycat variants coincided with GitHub’s removal of the repository that held the source code of the original W4SP Stealer, and cybercriminals likely not involved in the operation also is weaponized to attack PyPI users.
“Open source ecosystems such as PyPI and NPM are very easy targets for these types of actors to deploy this type of malware,” said the researchers. Their attempts will be more frequent, more persistent and the most sophisticated. “
A software supply chain security company, keep tabs A previously flagged package was found in the threat actor’s Discord channel. pie style Trojanized by BillyTheGoat to distribute stealers.
The module is thousands of downloads Monthly, but in September 2021 it launched as a harmless utility to help users style their console output. A malicious change was introduced in versions 2.1 and 2.2 released on October 28, 2022.
These two versions, which had been available on PyPI for about an hour before being pulled, allegedly had 400 downloads, BillyTheGoat told Phylum in an “unsolicited communication.”
“Just because a package is harmless today and has a history of being harmless over the years doesn’t mean it stays that way,” the researchers said. warned“The attackers have shown great patience in creating a legitimate package, but poisoned it with malware after it became sufficiently popular.”