ClickCease Crypto Malware Python Packages Spreading On Stack Exchange - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Crypto Malware Python Packages Spreading On Stack Exchange

by Wajahat Raja

August 12, 2024 - TuxCare expert team

Recent media reports have shed light on crypto malware that is being distributed via Python packages on a developer Q&A platform, Stack Exchange. The malware, if activated, is capable of draining cryptocurrency wallets belonging to the targeted users. In this article, we’ll focus on how the code works, the malicious packages involved, and more. Let’s begin!

Python Packages Crypto Malware Uncovered

Attack campaigns pertaining to this crypto malware were initiated on June 25, 2024. As of now the attacks seem to follow a targeted approach and singled out cryptocurrency users involved with Solana and Raydium.

The crypto malware was distributed to users actively involved with the currencies via multiple Python packages that were collectively downloaded over 2,000 times. The names of these packages, along with their downloads, include:

Python Package Number of Downloads
raydium 762 downloads
raydium-sdk 137 downloads
sol-instruct 115 downloads
sol-structs 292 downloads
spl-types 776 downloads

 

As far as the details of the attacks are concerned, the crypto malware delivered through these malicious Python packages could perform all the actions of a complete information stealer.

Given such capabilities, it was capable of acquiring cookies, credit card details, web browser passwords, and crypto-wallets accessible on the compromised device. In addition, it could also access information linked to messaging apps such as Session, Telegram, and Signal.

The crypto malware could also capture screenshots and search for files. The information it gathered was compressed and sent to two different bots the threat actor maintained on Telegram.

Adding an addition of severity to its impact, the information stealer also had a backdoor component. This component was used by threat actors to maintain persistence and ensure long-term compromise of the targeted devices.

Crypto Malware Code Functionality And Attack Chain

The attack chain for the crypto malware was divided into multiple stages. Throughout the stages, “raydium” package listing and “spl-types” were used as means of concealing malicious behavior and giving a legitimate impression. Threat actors used Stack Exchange, a developer Q&A platform, to drive downloads.

On the platform they would post answers to questions and would ask developers to perform swap transactions in Raydium using Python. During this stage, it was ensured that a high visibility thread was used as it allowed the threat actors to maximize their reach and target more users.

Once a malicious package was installed, the code would automatically execute. Afterward, it followed a chain of preconfigured events that included compromising and controlling the victim’s device, exfiltrating data, and draining the crypto wallets. It’s worth mentioning here that this isn’t the first time such tactics have been used.

In May 2024, another Python package named pytoileur was distributed on a different Q&A platform called Stack Overflow. The aim of these malicious actions was crypto theft as well. Such patterns indicate that attackers are manipulating the trust within community-driven platforms to carry out their malicious intent.

Conclusion

This alarming campaign emphasizes the growing threat of crypto malware targeting developers through trusted platforms like Stack Exchange. By leveraging Python packages, attackers are able to stealthily exfiltrate sensitive data and drain cryptocurrency wallets. Vigilance and robust security measures are now crucial to safeguard against these sophisticated attacks.

The sources for this piece include articles in The Hacker News and Tech Xpert.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!