Ethical Hacking News Hubb
Advertisement Banner
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home Ethical Hackers

W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names

admin by admin
December 24, 2022
in Ethical Hackers


Dec 24, 2022Ravie LakshmananSoftware Security / Supply Chain

Threat actors have published yet another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines.

Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, cybersecurity company Phylum found them all to be copies of W4SP Stealer.

W4SP Stealer primarily functions to siphon user data, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. It’s created and published by an actor who goes by the aliases BillyV3, BillyTheGoat, and billythegoat356.

“For some reason, each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name,” the researchers said in a report published earlier this week.

CyberSecurity

The 16 rogue modules are as follows: modulesecurity, informmodule, chazz, randomtime, proxygeneratorbil, easycordey, easycordeyy, tomproxies, sys-ej, py4sync, infosys, sysuptoer, nowsys, upamonkws, captchaboy, and proxybooster.

The campaign distributing W4SP Stealer gained traction around October 2022, although indications are that it may have started as far back as August 25, 2022. Since then dozens of additional bogus packages containing W4SP Stealer have been published on PyPI by the persistent threat actors.

The latest iteration of the activity, for what it’s worth, makes no obvious to hide its nefarious intentions, except in the case of chazz, which leverages the package to download obfuscated Leaf $tealer malware hosted on the klgrth[.]io paste service.

It’s worth noting that previous versions of the attack chains have also been spotted fetching next-stage Python code directly from a public GitHub repository that then drops the credential stealer.

The surge in new copycat variants dovetails with GitHub’s takedown of the repository that held the original W4SP Stealer source code, indicating that cybercriminals likely not affiliated with the operation are also weaponizing the malware to attack PyPI users.

“Open-source ecosystems such as PyPI, NPM, and the like are huge easy targets for these kinds of actors to try and deploy this kind of malware on,” the researchers said. Their attempts will only become more frequent, more persistent, and most sophisticated.”

The software supply chain security firm, which kept tabs on the threat actor’s Discord channel, further noted that a previously flagged package under the name of pystyle was trojanized by BillyTheGoat to distribute the stealer.

The module has not only racked by thousands of downloads each month, but also started off as an innocuous utility in September 2021 to help users style console output. The malicious modifications were introduced in versions 2.1 and 2.2 released on October 28, 2022.

These two versions, which were live on PyPI for about an hour before they were pulled, are alleged to have gotten 400 downloads, BillyTheGoat told Phylum in an “unsolicited correspondence.”

“Just because a package is benign today and has shown a history of being benign for years does not mean it will remain this way,” the researchers cautioned. “Threat actors have shown tremendous patience in building legitimate packages, only to poison them with malware after they have become sufficiently popular.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Hunting For Secrets Uploaded To Public S3 Buckets

Next Post

Tool To Automatically Exploit Active Directory Privilege Escalation Paths Shown By BloodHound

Next Post

Tool To Automatically Exploit Active Directory Privilege Escalation Paths Shown By BloodHound

Recommended

Evilgophish – Evilginx2 + Gophish

3 months ago

Twilio Reveals Another Breach from the Same Hackers Behind the August Hack

3 months ago

© 2022 Ethical Hacking News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Ethical Hackers
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact

© 2022 Ethical Hacking News Hubb All rights reserved.