WASP malware stings Python developers

Malware dubbed WASP is using steganography and polymorphism to evade detection, with its malicious Python packages designed to steal credentials, personal information, and cryptocurrency.

Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers. Analysts at Checkmarx this week connected the same attacker to both reports and said the operator is still releasing malicious packages.

A Checkmarx report detailed hundreds of successful infections of the WASP info-stealer malware, and found a number of interesting features to ensure persistence in a compromised PC and to evade cybersecurity tools.

"The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales," wrote Jossef Harush, Checkmarx's head of engineering, noting that the malware's developer claims WASP is undetectable.

The operator is selling copies of WASP for $20 to other criminals, with payment coming in cryptocurrency or gift cards.

PyPI, an open source repository used by developers to share Python packages used in projects, is an increasingly popular target in software supply chain attacks for uploading malicious code via fake packages. The malicious packages are given names that sound legitimate or are similar to real packages, a technique called typosquatting. Developers are therefore fooled into using booby-trapped packages that appear to be useful and legit.

Check Point noted that such packages used for attacks on open source operations – not only PyPI but also others, like NPM – usually involve three steps: malicious code to download and run a virus, carrier code for sneaking the malicious code in, and luring victims – such as through typosquatting – to install the malicious package.

The community behind PyPI in August warned about the first-known phishing attack against its users.

The malicious package becomes an initial infection point if a developer loads it onto their system, with other malware following – in this case, the WASP (also referred to as W4SP) info-stealing trojan.

• Windows breaks under upgraded IceXLoader malware
• Oh, look: More malware in the Google Play store
• Ordinary web access request or command to malware?
• Feds accuse Ukrainian of renting out PC-raiding Raccoon malware to fiends

The Phylum analysts identified the malicious payload as W4SP, noting the attackers had created 29 copies of popular PyPI software packages in a campaign that started in October. Check Point researchers detected the use of steganography – hiding code in other files – to infect PyPI users through open source projects on GitHub.

Checkmarx also saw the use of steganography as well as polymorphic malware – where the payload changes in new installs – and the ability to remain persistent even if the system is rebooted.

"The malware is targeted at stealing all the victim's Discord accounts, passwords, crypto wallets, credit cards, and other interesting files on the victim's PC, sending them back to the attacker through a hard-coded Discord webhook address," Harush wrote.

After the malicious package is loaded, the setup script installs additional Python packages, including judyb, which provides the steganography capabilities. A .png image is downloaded and saved in the OS's temp directory, with another function in the judyb package used to extract the hidden code.

Other code is then fetched to ensure persistence through multiple reboots and to deliver the polymorphic malware, where different code is introduced after every second or third-stage URL download, according to Harush. He added that it's the first time he's seen polymorphic malware used in software supply chain attacks.

One of the URLs redirects to a link inviting others to join the attacker's Discord server, which is managed by a single Discord user. Further investigation found an account on the Steam gaming marketplace and a YouTube channel linked to the Discord user, Harush wrote.

Checkmarx analysts were able to track the WASP operator as he moved across different user accounts and notified PyPI of new activities. The crook claimed he was working on an "exe version" of the malware and was seen this week with a new identity – PyPI user "halt" – uploading typosquatting packages that also use the Starjacking technique, which is stealing GitHub Stars from a legitimate package to make the malicious one look popular.

"It seems this attack is ongoing, and whenever the security team of Python deletes his packages, he quickly maneuvers and creates a new identity or simply uses a different name," Harush wrote. ®