Clever methods of disguise allow cyber villains to complete their plans, bypassing information security radars.
Cybersecurity specialists from the company Fortinet identified a new malicious package in the registry for PyPI developers, aimed at stealing Discord user data. A package called "discordpy_bypass-1.7" was published on March 10, 2024 and discovered two days later.
The package, developed by a user named "Theaos", includes seven versions with similar characteristics. Its main purpose is to extract confidential information using techniques for establishing persistence in the victim's system, extracting data from browsers, and collecting tokens.
Technical analysis revealed that the package uses multi-level evasion measures, including base64 encoding of basic Python code, additional obfuscation techniques, and compilation to an executable file that is loaded from a remote URL.
In addition, the attackers also implemented a number of checks that allow the malware to detect the launch in the sandbox and interrupt its work. In addition, the program is able to identify and block IP and MAC addresses that are blacklisted.
The malicious code pays special attention to Discord's authorization data, extracting passwords, cookies, and web search history from browsers. Before sending it to the remote server, the extracted tokens are decrypted and verified.
Experts of the FortiGuard laboratory emphasize that this incident once again proves the need for vigilance and enhanced protection of systems to ensure the security of personal data. At the same time, information about such threats allows researchers to develop more secure systems that can withstand new types of cyber attacks.
Cybersecurity specialists from the company Fortinet identified a new malicious package in the registry for PyPI developers, aimed at stealing Discord user data. A package called "discordpy_bypass-1.7" was published on March 10, 2024 and discovered two days later.
The package, developed by a user named "Theaos", includes seven versions with similar characteristics. Its main purpose is to extract confidential information using techniques for establishing persistence in the victim's system, extracting data from browsers, and collecting tokens.
Technical analysis revealed that the package uses multi-level evasion measures, including base64 encoding of basic Python code, additional obfuscation techniques, and compilation to an executable file that is loaded from a remote URL.
In addition, the attackers also implemented a number of checks that allow the malware to detect the launch in the sandbox and interrupt its work. In addition, the program is able to identify and block IP and MAC addresses that are blacklisted.
The malicious code pays special attention to Discord's authorization data, extracting passwords, cookies, and web search history from browsers. Before sending it to the remote server, the extracted tokens are decrypted and verified.
Experts of the FortiGuard laboratory emphasize that this incident once again proves the need for vigilance and enhanced protection of systems to ensure the security of personal data. At the same time, information about such threats allows researchers to develop more secure systems that can withstand new types of cyber attacks.
