Supply-Chain Attack Strikes The Largest Discord Bot Community Top.gg

by | Mar 26, 2024 | News

Supply-Chain Attack Strikes The Largest Discord Bot Community Top.gg

Post Views: 308




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

The Top.gg Discord bot community, boasting over 170,000 members, finds itself reeling from the aftermath of a supply-chain attack, aimed at infiltrating developers with malware designed to steal sensitive information.

Perpetrated by a threat actor employing a spectrum of tactics, techniques, and procedures (TTPs), this campaign has been a culmination of years-long efforts, including the hijacking of GitHub accounts, the distribution of malicious Python packages, the establishment of a fake Python infrastructure, and intricate social engineering endeavors.

One of the latest casualties of this assailant’s onslaught is Top.gg, a prominent search-and-discovery platform catering to Discord servers, bots, and assorted social utilities, primarily tailored for gaming communities, enhancing engagement, and refining functionality.

The campaign came to light courtesy of Checkmarx researchers, who uncovered a meticulously orchestrated scheme, with the primary objective likely being data theft and subsequent monetization through the sale of pilfered information.

Hijacking top.gg

Initiating their activity as far back as November 2022, the attacker commenced by uploading malevolent packages onto the Python Package Index (PyPI). Over subsequent years, the malevolent payload expanded, masquerading as popular open-source tools with alluring descriptions designed to elevate their prominence in search engine results.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

March of the current year saw the introduction of “yocolor,” the latest package in the malicious arsenal.

Packages used in the campaignPackages used in the campaign (Checkmarx)

In early 2024, the assailants erected a counterfeit Python package mirror at “files[.]pypihosted[.]org,” a blatant typosquatting ploy mimicking the authentic “files.pythonhosted.org,” the repository for PyPI package artifacts. This deceptive mirror served as a conduit for hosting tainted versions of legitimate packages, such as a tampered iteration of the widely-used “colorama” package, deceiving unsuspecting users and development systems into inadvertently sourcing from this malevolent source.

The malevolent packages disseminated via PyPI served as the initial vector for compromising systems. Upon successful compromise or the hijacking of privileged GitHub accounts, the attackers manipulated project files to reference dependencies hosted on the counterfeit mirror.

Checkmarx underscores a notable incident from March wherein the attackers compromised the account of a top.gg maintainer, “editor-syntax,” wielding substantial write access privileges to the platform’s GitHub repositories. 

Discord discussion about the hacked accountDiscussion on Discord about the hacked account (Checkmarx)

The attacker utilized this compromised account to perpetrate malicious commits to Top.gg’s python-sdk repository, incorporating a dependency on the tainted version of “colorama” and housing additional malevolent repositories, thus bolstering their visibility and credibility.

Malicious commit to modify the requirements.txt fileMalicious commit to modify the requirements.txt file (Checkmarx)

Trending: Unlocking Windows System Resource Utilization for Digital Forensics Analysis with SRUM Dump




Trending: Digital Forensics Tool: mailMeta

Upon execution of the malicious Python code, it triggers the subsequent phase by fetching a small loader or dropper script from a remote server, serving as the conduit for acquiring the final payload in encrypted form.

Establishing persistence on the compromised machine, the malware modifies the Windows Registry to persist between reboots.

Registry modificationRegistry modification for persistence (Checkmarx)

  • The data exfiltration capabilities of the malware are multifaceted, targeting various facets of sensitive information,
  • including browser data,
  • Discord tokens,
  • cryptocurrency wallets,
  • Telegram session data,
  • Instagram session tokens,
  • keystrokes,
  • Uses anonymous file-sharing services (e.g., GoFile, Anonfiles) and unique identifiers (hardware ID, IP address) in HTTP requests to track and upload stolen data to the attacker’s server.

Attack overviewAttack overview (Checkmarx)

All pilfered data is relayed to the command and control server via HTTP requests, bearing unique hardware-based identifiers or IP addresses, concurrently being uploaded to file-hosting services like Anonfiles and GoFile.

While the exact scope of user impact remains undisclosed, the revelation from Checkmarx underscores the vulnerabilities inherent in the open-source supply chain, underscoring the imperative for developers to meticulously scrutinize the security integrity of their building blocks.

Trending: Data-Wiping Malware Dubbed AcidPour Strikes Linux x86 Systems

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This