Cybercriminals are abusing Stack Overflow in an fascinating method to spreading malware—answering customers’ questions by selling a malicious PyPi bundle that installs Home windows information-stealing malware.
Sonatype researcher Ax Sharma (and a author at BleepingComputer) found this new PyPi bundle is a part of a beforehand recognized ‘Cool bundle’ marketing campaign, named after a string within the bundle’s metadata, that focused Home windows customers final yr.
This PyPi bundle is known as ‘pytoileur’ and was uploaded by menace actors to the PyPi repository over the weekend, claiming it was an API administration device. Discover how the bundle has the “Cool package” string within the Abstract metadata subject, indicating it’s a part of this ongoing marketing campaign.
Supply: Sonatype
Malicious packages like this are normally promoted utilizing names just like different standard packages, a course of referred to as typo-squatting.
Nonetheless, with this bundle, the menace actors took a extra novel method by answering questions on Stack Overflow and selling the bundle as an answer.
Supply: BleepingComputer
As Stack Overflow is a broadly used platform for builders of all ability units to ask and reply questions, it gives an ideal atmosphere to unfold malware disguised as programming interfaces and libraries.
“We further noticed that a StackOverflow account “EstAYA G” created roughly 2 days in the past is now exploiting the platform’s group members searching for debugging assist [1, 2, 3] by directing them to put in this malicious bundle as a “answer” to their issue even though the “answer” is unrelated to the questions posted by developers,” defined Sharma within the Sonatype report.
On this case, the pytoileur bundle comprises a ‘setup.py’ information that pads a base64 encoded command to execute with areas so it’s hidden except you allow phrase wrap in your IDE or textual content file editor.
Supply: BleepingComputer
When deobfuscated, this command will obtain an executable named ‘runtime.exe’ [VirusTotal] from a distant website and execute it.
Supply: BleepingComputer
This executable is definitely a Python program transformed into an .exe that acts as an information-stealing malware to reap cookies, passwords, browser historical past, bank cards, and different knowledge from internet browsers.
It additionally seems to go looking via paperwork for particular phrases and, if discovered, steal the information as properly.
All of this info is then despatched again to the attacker, who can promote it on darkish internet markets or use it to breach additional accounts owned by the sufferer.
Whereas malicious PyPi packages and information-stealers are nothing new, the cybercriminals’ technique to pose as useful contributors on Stack Overflow is an fascinating method because it permits them to take advantage of the belief and authority of the positioning within the coding group.
This method serves as a reminder of the always altering techniques of cybercriminals and, sadly, illustrates why you possibly can by no means blindly belief what somebody shares on-line.
As an alternative, builders should confirm the supply of all packages they add to their tasks, and even when it feels reliable, verify the code (with phrase wrap enabled) for uncommon or obfuscated instructions that shall be executed.
