In another sign that threat actors are always looking for new ways to trick users into downloading malware, it has emerged that a question-and-answer (Q&A) platform called Stack Exchange Known, it has been misused to direct bugs to unsuspecting developers. Python packages have the ability to extract their own cryptocurrency wallets.
“Upon installation, this code will automatically execute, triggering a chain of events designed to compromise and take control of victims’ systems,” said Cheekmarks researchers Yehuda Gelb and Zachary Zornstein. While their data will also be extracted and their crypto wallets will be extracted.” Reports Shared with The Hacker News.
The campaign, which began on June 25, 2024, specifically targeted cryptocurrency users involved with Raydium and Solana. Below is the list of rogue packages exposed as part of the activity –
The packages have been downloaded a total of 2,082 times. They are no longer available for download from the Python Package Index (PyPI) repository.
The malware hidden inside the package served up a complete information stealer, including web browser passwords, cookies, and information associated with credit card details, cryptocurrency wallets, and messaging apps like Telegram, Signal, and sessions. A wide net of data was cast.
It also has capabilities to take system screenshots, and find files containing GitHub recovery codes and BitLocker keys. The collected information was then compressed and extracted into two different Telegram bots operated by the threat actor.
Separately, a backdoor component in the malware gave the attacker continuous remote access to victims’ machines, allowing for potential future exploits and long-term compromise.
The attack chain consists of several steps, including listing “spl-types” as a dependency in the “radium” package in an attempt to hide the malicious behavior and give users the impression that it is legitimate. Is.
A notable aspect of the campaign is using StackExchange as a vector for adoption by posting ostensibly helpful answers referencing the package in question. Developer Questions About doing swap transactions in Raydium using Python.
“By choosing a thread with high visibility — getting thousands of views — the attacker maximized his potential reach,” the researchers said, “giving the package credibility and widespread adoption.” This was done to make sure.”
While the answer isn’t on the stack exchange, HackerNews found a reference to “Redium” in another Unanswered question Posted on Q&A site dated July 9, 2024: “I’ve been struggling for nights to get a swap on a solana network running python 3.10.2 installed solana, solders and raydium but I’ve got it working. Can’t bring it on,” said one user.
There are also references to “raydium-sdk”. came to light In a post titled “How to Buy and Sell Tokens on Raydium Using Python: A Step-by-Step Solana Guide” shared by a user named Solanascribe on Jun 29, 2024 on social publishing platform Medium.
It is currently unclear when the packages were removed from PyPI, as two other users recently replied to a Medium post asking the author for help on installing “raydium-sdk” on July 27, 2024. Is. Checkmarks told The Hacker News that the post was not the work of a threat actor.
This is not the first time that bad actors have resorted to such a method of distributing malware. Earlier this May, Sonatype revealed How a package called pytoileur was advertised by another Q&A service called Stack Overflow to facilitate cryptocurrency theft.
If anything, the development is evidence that attackers are leveraging trust in these community-driven platforms to push malware, leading to large-scale supply chain attacks.
“A single compromised developer can inadvertently introduce vulnerabilities into an entire company’s software ecosystem, potentially affecting the entire corporate network,” the researchers said. “This attack serves as a wake-up call for both individuals and organizations to reevaluate their security strategies.”
The development came after Fortinet FortiGuard Labs described a malicious PyPI package called zlibxjson that contains sensitive information, such as Discord tokens, cookies stored in Google Chrome, Mozilla Firefox, Brave, and Opera, and browsers. Features were packed to steal passwords. The library attracted yesterday. 602 download before it is removed from PyPI.
“These measures can lead to unauthorized access to user accounts and the exfiltration of personal data, clearly classifying the software as malicious,” said security researcher Jenna Wang. said.