Crypto Malware Python Packages Spreading On Stack Exchange
Recent media reports have shed light on crypto malware that is being distributed via Python packages on a developer Q&A platform, Stack Exchange. The malware, if activated, is capable of draining cryptocurrency wallets belonging to the targeted users. In this article, we’ll focus on how the code works, the malicious packages involved, and more. Let’s begin!
Python Packages Crypto Malware Uncovered
Attack campaigns pertaining to this crypto malware were initiated on June 25, 2024. As of now the attacks seem to follow a targeted approach and singled out cryptocurrency users involved with Solana and Raydium.
The crypto malware was distributed to users actively involved with the currencies via multiple Python packages that were collectively downloaded over 2,000 times. The names of these packages, along with their downloads, include:
Python Package | Number of Downloads |
raydium | 762 downloads |
raydium-sdk | 137 downloads |
sol-instruct | 115 downloads |
sol-structs | 292 downloads |
spl-types | 776 downloads |
As far as the details of the attacks are concerned, the crypto malware delivered through these malicious Python packages could perform all the actions of a complete information stealer.
Given such capabilities, it was capable of acquiring cookies, credit card details, web browser passwords, and crypto-wallets accessible on the compromised device. In addition, it could also access information linked to messaging apps such as Session, Telegram, and Signal.
The crypto malware could also capture screenshots and search for files. The information it gathered was compressed and sent to two different bots the threat actor maintained on Telegram.
Adding an addition of severity to its impact, the information stealer also had a backdoor component. This component was used by threat actors to maintain persistence and ensure long-term compromise of the targeted devices.
Crypto Malware Code Functionality And Attack Chain
The attack chain for the crypto malware was divided into multiple stages. Throughout the stages, “raydium” package listing and “spl-types” were used as means of concealing malicious behavior and giving a legitimate impression. Threat actors used Stack Exchange, a developer Q&A platform, to drive downloads.
On the platform they would post answers to questions and would ask developers to perform swap transactions in Raydium using Python. During this stage, it was ensured that a high visibility thread was used as it allowed the threat actors to maximize their reach and target more users.
Once a malicious package was installed, the code would automatically execute. Afterward, it followed a chain of preconfigured events that included compromising and controlling the victim’s device, exfiltrating data, and draining the crypto wallets. It’s worth mentioning here that this isn’t the first time such tactics have been used.
In May 2024, another Python package named pytoileur was distributed on a different Q&A platform called Stack Overflow. The aim of these malicious actions was crypto theft as well. Such patterns indicate that attackers are manipulating the trust within community-driven platforms to carry out their malicious intent.
Conclusion
This alarming campaign emphasizes the growing threat of crypto malware targeting developers through trusted platforms like Stack Exchange. By leveraging Python packages, attackers are able to stealthily exfiltrate sensitive data and drain cryptocurrency wallets. Vigilance and robust security measures are now crucial to safeguard against these sophisticated attacks.
The sources for this piece include articles in The Hacker News and Tech Xpert.