Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developers’ machines in order to steal their information.
As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP.
Attack Chain to Deploy Malware
A stealer in this case dropped directly into the main.py file rather than obfuscating the code or being obvious about the attempts to escape detection.
Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attacker’s intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the klgrth.io website, using a simple first stage to get it.
There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, it’s an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.
Malicious Packages
Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-
- modulesecurity – “Celestial Stealer”
- informmodule – “Leaf $tealer”
- chazz – first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
- randomtime – “ANGEL stealer”
- proxygeneratorbil – “@skid STEALER”
- easycordey – “@skid Stealer”
- easycordeyy – “@skid Stealer”
- tomproxies – “@skid STEALER”
- sys-ej – “Hyperion Obfuscated code”
- infosys – “@734 Stealer”
- sysuptoer – “BulkFA Stealer”
- nowsys – “ANGEL Stealer”
- upamonkws – “PURE Stealer”
- captchaboy – “@skid STEALER”
- proxybooster – “Fade Stealer”
W4SP Copies
W4SP’s original publication in loTus’s repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.
It has been Phylum’s mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.
It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.
It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.
- Satan Stealer
- angel-stealer
There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop.
W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.
There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.