CarderPlanet
Professional
- Messages
- 2,552
- Reaction score
- 684
- Points
- 83
Over the past six months, researchers have been monitoring the cybercrime campaign, which has gradually improved and gained strength. The goal of this campaign is to install malicious data theft packages on open source platforms.
There were 272 such packages in total, and their total number of downloads was about 75 thousand. The Checkmarx Supply Chain Security team, which has been monitoring this activity since April, found hidden malicious code that pulls out confidential victim data.
At the same time, experts note a noticeably growing level of professionalism of cybercriminals, since in recent attacks they have improved the layers of obfuscation and ways to avoid detection.
As an example, the researchers cite the file "_init_py", which is loaded only after checking the host: if it is a virtual system, the malware simply will not start.
Malware operators are interested in the following information:
* availability of working antivirus programs in the system;
* task list, Wi-Fi passwords, host information;
* credentials, browser history, cookies, payment information-all this must be saved in the browser;
* data from cryptocurrency wallets like Atomic and Exodus;
* phone numbers, email addresses, Discord icons;
* Player data in Minecraft and Roblox.
In addition, the malware takes screenshots and steals certain files stored on the desktop and in the directories "Images", "Music", "Documents", "Videos", "Downloads".
The victim's clipboard is also constantly monitored: the malware tries to find and replace the addresses of crypto wallets there.
At the same time, it is interesting that attackers use at least 70 layers of obfuscation in packages.
There were 272 such packages in total, and their total number of downloads was about 75 thousand. The Checkmarx Supply Chain Security team, which has been monitoring this activity since April, found hidden malicious code that pulls out confidential victim data.
At the same time, experts note a noticeably growing level of professionalism of cybercriminals, since in recent attacks they have improved the layers of obfuscation and ways to avoid detection.
As an example, the researchers cite the file "_init_py", which is loaded only after checking the host: if it is a virtual system, the malware simply will not start.
Malware operators are interested in the following information:
* availability of working antivirus programs in the system;
* task list, Wi-Fi passwords, host information;
* credentials, browser history, cookies, payment information-all this must be saved in the browser;
* data from cryptocurrency wallets like Atomic and Exodus;
* phone numbers, email addresses, Discord icons;
* Player data in Minecraft and Roblox.
In addition, the malware takes screenshots and steals certain files stored on the desktop and in the directories "Images", "Music", "Documents", "Videos", "Downloads".
The victim's clipboard is also constantly monitored: the malware tries to find and replace the addresses of crypto wallets there.
At the same time, it is interesting that attackers use at least 70 layers of obfuscation in packages.
