Tuesday, November 12, 2024
HomeCyber Security NewsNew Malware Hidden In PyPI Packages Attacking Windows & Linux Machines

New Malware Hidden In PyPI Packages Attacking Windows & Linux Machines

Published on

Malware protection

A PyPI malware author identified as “WS” was discovered by researchers to be covertly uploading malicious packages to PyPI that were impacting both Windows and Linux devices. 

Over time, the malware author distributes multiple information-stealing packages into the PyPI library, each with unique payload complexities. From the detected packages alone, it is predicted that there may be over 2000 victims of “WS.”

Over several months, the instance of this specific malware author has come to light, demonstrating the significant amount of destruction that has occurred.

- Advertisement - SIEM as a Service

The Python community has created the Python Package Index (PyPI), an open repository of software packages to aid in the rapid development or updating of applications. 

Although most packages uploaded to PyPI are uploaded by dedicated people seeking to promote the Python community, malicious packages are also frequently provided by threat actors.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Info Stealing Packages Hidden in PyPI

According to Fortinet, the identified packages published by the author “WS” are as follows:

  • nigpal
  • figflix
  • telerer
  • seGMM
  • fbdebug
  • sGMM
  • myGens
  • NewGends
  • TestLibs111

These demonstrate attack techniques similar to those described in a blog post by Checkmarx that was published four months prior.

The resemblance raises the possibility of a link to an early 2023 harmful effort. The setup.py files in these packages contain base64-encoded source code for PE or other Python scripts. 

The final malicious payload is dropped and executed when these Python packages are installed, depending on the operating system of the victim devices.

Malicious PyPI packages published by the author “WS”
Malicious PyPI packages published by the author “WS”

Packages released before December 2023 can particularly transmit a Python script intended to steal data from Linux systems or, in the case of a Windows victim, deploy the malware known as Whitesnake PE.

“A subtle distinction lies in the new method now being used by the Python script to transmit stolen data. Instead of relying on a single fixed URL, these new malware variants use a range of IP addresses as the destination, likely to ensure successful data transmission even if one server fails”, Fortinet shared with Cyber Security News.

The PE Payload of the myGens & NewGends Packages is analyzed. It attempts to gather user data, including the host credentials and IP address of the user.

Collects User information
Collects User information

This latest set of packages primarily targets Windows users, in contrast to previous attacks that were directed at both Linux and Windows users. Even though each package has a slightly different executable payload, they all attempt to steal confidential data from victims.

Recommendation

When utilizing open-source packages, users are advised to proceed with extreme caution, making sure that no harmful content or payloads are present that could leave their targeted devices vulnerable to information theft.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...