Attackers leverage malicious python packages to spread W4SP Stealer

November 29, 2022 - TuxCare PR Team

Security researchers from Checkmarx have uncovered an ongoing supply chain attack that involves spreading the malware identified as W4SP Stealer.

W4SP Stealer is a discord malware that grabs all the Discord accounts, passwords, crypto wallets, credit cards and other data on a victim’s PC and then sends them back to the attacker.

W4SP Stealer is currently sold for $20 and interested buyers can pay with crypto or gift cards. The maker of WASP claims it is entirely undetectable and is “protected by some awesome obfuscation.”

The attackers leverage malicious Python packages to distribute the malware. Checkmarx claimed hundreds of users are already victims of the malware. Checkmarx’s report therefore buttress findings from Phylum and Check Point which saw them flag 30 different modules published on the Python Package Index (PyPI). These modules were specifically designed to propagate malicious code under the guise of benign-looking packages.

According to researchers at Checkmarx, the threat actor behind the attacks is “WASP.” The attacker use polymorphic malware, reboot persistent and stenography to hide code inside packages, building a fake GitHub reputation in the process.

Polymorphic code uses a polymorphic engine to mutate while keeping the original algorithm intact. This means that the code changes itself every time it runs although the function of the code remains the same. The technique is used by computer viruses, shellcodes and computer worms to hide their presence.

After installing the malicious package, the setup.py script is executed, and additional Python packages are installed. The setup.pyscript downloads a .PNG image and saves it in the operating system’s temp directory. The setup.py script then uses the “Isb.reveal” function located in the malicious “judyb” package to extract a hidden code from the image downloaded.

The sources for this piece include an article in TheHackerNews.

Summary