Attackers continue to create fake Python packages and use rudimentary obfuscation techniques in an attempt to infect developers’ systems with the W4SP Stealer, a Trojan designed to steal cryptocurrency information, exfiltrate sensitive data, and collect credentials from developers’ systems.
According to an advisory published this week by software supply chain firm Phylum, a threat actor has created 29 clones of popular software packages on Python Package Index (PyPI), giving them benign-sounding names or purposefully giving them names similar to legitimate packages, a practice known as typosquatting. If a developer downloads and loads the malicious packages, the setup script also installs — through a number of obfuscated steps — the W4SP Stealer Trojan. The packages have accounted for 5,700 downloads, researchers said.
While W4SP Stealer targets cryptocurrency wallets and financial accounts, the most significant objective of the current campaigns appears to be developer secrets, says Louis Lang, co-founder and CTO at Phylum.
“It’s not unlike the email phishing campaigns we are used to seeing, only this time attackers are solely targeting developers,” he says. “Considering developers often hold access to the crown jewels, a successful attack can be devastating for an organization.”
The attacks on PyPI by the unknown actor, or group, are just the latest threats to target the software supply chain. Open source software components distributed through repository services, such as PyPI and the Node Package Manager (npm), are a popular vector of attacks, as the number of dependencies imported into software has grown dramatically. Attackers attempt to use the ecosystems to distribute malware to unwary developers’ systems, as happened in a 2020 attack on the Ruby Gems ecosystem and attacks on the Docker Hub image ecosystem. And in August, security researchers at Check Point Software Technologies found 10 PyPI packages that dropped information-stealing malware.
In this latest campaign, “these packages are a more sophisticated attempt to deliver the W4SP Stealer onto Python developer’s machines,” Phylum researchers stated in their analysis, adding: “As this is an ongoing attack with constantly changing tactics from a determined attacker, we suspect to see more malware like this popping up in the near future.”
PyPI Attack Is a “Numbers Game”
That attack takes advantage of developers who mistakenly mistype the name of a common package or use a new package without adequately vetting the source of the software. One malicious package, named “typesutil,” is just a copy of the popular Python package “datetime2,” with a few modifications.
Initially, any program that imported the malicious software would run a command to download malware during the setup phase, when Python loads dependencies. However, because PyPI implemented certain checks, the attackers started using whitespace to push the suspicious commands outside of the normal viewable range of most code editors.
“The attacker changed tactics slightly, and instead of just dumping the import in an obvious spot, it was placed waaaaay off screen, taking advantage of Python’s seldomly used semicolon to sneak the malicious code onto the same line as other legitimate code,” Phylum stated in its analysis.
While typosquatting is a low-fidelity attack with only rare successes, the effort costs attackers little compared to the potential reward, says Phylum’s Lang.
“It’s a numbers game with attackers polluting the package ecosystem with these malicious packages on a daily basis,” he says. “The unfortunate reality is that the cost to deploy one of these malicious packages is extremely low relative to the potential reward.”
A W4SP That Stings
The eventual goal of the attack is to install the “information-stealing Trojan W4SP Stealer, which enumerates the victim’s system, steals browser-stored passwords, targets cryptocurrency wallets, and searches for interesting files using keywords, such as ‘bank’ and ‘secret,'” says Lang.
“Aside from the the obvious monetary rewards of stealing cryptocurrency or banking information, some of the pilfered information could be used by the attacker to further their attack by giving access to critical infrastructure or additional developer credentials,” he says.
Phylum has made some progress in identifying the attacker and has sent reports to the companies whose infrastructure is being used.