Python Developers Beware! Russian Hackers Targeting You With Malicious Packages

A malicious Python package named “crytic-compilers” was identified on PyPI.

Masquerading as a legitimate library for intelligent contract compilation, it mimicked the name and versioning scheme of the real “crytic-compile” tool. 

The imposter package infiltrated popular development environments by appearing to offer desired functionality, as it harbored a hidden payload that stole cryptocurrency from infected systems. 

Although the package garnered 436 downloads before its takedown, which highlights the vulnerability of relying solely on open-source components without proper vetting. 

Python Developers Beware! Russian Hackers Targeting You With Malicious Packages
installing the real library (‘crytic-compile’) to avoid suspicion

A counterfeit Python library, “crytic-compilers”, is designed to exploit developers by mimicking the legitimate “crytic-compile” library, which uses similar names and aligns version numbers (0.3.8 to 0.3.11) with appearing as a newer version. 

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

Some versions even attempt to install the actual library to deflect suspicion.

The malicious intent is revealed in version 0.3.11, which targets Windows systems and executes a hidden program (s.exe). 

The strategy leverages the popularity of “crytic-compile” (170,000 monthly downloads, 141 GitHub stars) to infiltrate unsuspecting projects in the cryptocurrency development community. 

 illicit component's 0.3.11 version
 illicit component’s 0.3.11 version

Lumma, a Russia-linked C2 trojan, targets Windows users by stealing crypto wallets and browser passwords. ]

The malware, disguised as an executable file (s.exe), uses anti-detection techniques to avoid being caught. 

It connects to a list of domains (IOCs) with active “/api” endpoints, most likely Lumma C2 servers, registered on Namecheap and secured by Cloudflare, making takedown attempts more challenging. 

According to SonaType, geo-blocking also prevents users from accessing these domains from restricted regions.   

Verification Captcha
Verification Captcha

Lumma Stealer, a C-based Windows trojan targeting cryptocurrency wallets and browser extensions, has been distributed through various channels since at least 2022. 

Primarily offered as Malware-as-a-Service on Russian dark web forums, Lumma has reappeared in trojanized apps, phishing emails, and pirated games with cheats. 

Most recently, drive-by downloads on compromised websites disguised as fake browser updates have been used to deliver Lumma stealers. 

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo

The post Python Developers Beware! Russian Hackers Targeting You With Malicious Packages appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to Source
Author: Eswar