Cybercriminals Exploit Stack Overflow to Spread Malicious PyPi Package

by | May 30, 2024 | News

Cybercriminals Exploit Stack Overflow to Spread Malicious PyPi Package

Post Views: 274




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Cybercriminals Exploit Stack Overflow to Spread Malicious PyPi Package

Cybercriminals are leveraging Stack Overflow to promote a malicious PyPi package named ‘pytoileur,’ which installs Windows information-stealing malware. Discovered by Sonatype researcher Ax Sharma, this package is part of the ‘Cool package’ campaign, previously targeting Windows users.

Malicious pytoileur PyPi packageMalicious pytoileur PyPi package
Source: Sonatype

The threat actors create accounts on Stack Overflow to answer questions, directing users to install this malicious package as a solution to their coding issues.

Stack Overflow answer promoting malicious PyPi packageStack Overflow answer promoting malicious PyPi package
Source: BleepingComputer


Package Details and Distribution Method

The ‘pytoileur’ package, uploaded to the PyPi repository, is presented as an API management tool. However, it includes a ‘setup.py’ file with a hidden base64 encoded command that downloads and executes a malware-laden executable named ‘runtime.exe.’ This executable is a Python program converted into an .exe file designed to steal cookies, passwords, browser history, credit card information, and more from web browsers. The stolen data is sent back to the attackers, who can then sell it on dark web markets or use it for further breaches.

Obfuscated command to execute in setup.pyObfuscated command to execute in setup.py
Source: BleepingComputer

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Deobfuscated Base64-encoded commandDeobfuscated Base64-encoded command
Source: BleepingComputer

Exploiting Stack Overflow Trust

This approach of using Stack Overflow to spread malware is particularly insidious because it exploits the platform’s trust and authority. Developers often turn to Stack Overflow for help with coding problems, making it a prime target for cybercriminals to disseminate malicious software. The Stack Overflow account ‘EstAYA G’ was identified as promoting the ‘pytoileur’ package by answering questions with recommendations to use this malicious tool.

Trending: Post-Exploitation Techniques: Maintaining Access, Escalating Privileges, Gathering Credentials, Covering Tracks




Trending: OSINT Tool: SiteDorks

Precautionary Measures for Developers

Developers are advised to:

  • Verify Sources: Ensure the authenticity of the packages before integrating them into projects.
  • Inspect Code: Check the code, especially for any unusual or obfuscated commands, even if the source seems trustworthy.
  • Enable Word Wrap: When examining code, enable word wrap in your IDE or text editor to reveal hidden commands that might be padded with spaces.

Trending: Critical SAML Exploit in GitHub Enterprise Server Fixed with Urgent Update

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This