Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,175
- Points
- 113
What is hidden behind harmless PyPI packages?
Checmarx specialists found PyPI packages containing malicious script in the file "init.py", which transmits user data to the bot in Telegram.
Malicious packages uploaded by the user "dsfsdfds" turned out to be part of a major cybercrime operation. The main goal of the campaign is to steal confidential user data and transfer it to a Telegram bot associated with cybercriminals from Iraq. The operation has been active since 2022. The Telegram channel with the bot contains more than 90,000 messages in Arabic.
The list of malicious packages on PyPI includes:
The malicious script in packages scans the victim's file system, especially the root folder and the DCIM folder. The script searches for files with the extensions ".py", ".php", ".zip", as well as images with the extensions ".png", ".jpg" and ".jpeg". Detected files and their paths in the file system are exfiltrated in Telegram without the user's knowledge.
Hard-coded confidential information, such as the bot's token and chat ID, allowed researchers to obtain data about the infrastructure and operations of cybercriminals. Researchers gained access to the Telegram bot and monitored its activity.
The bot's activity history goes back to 2022, long before malicious packages were released on PyPI. The messages were mostly in Arabic. During the analysis, it turned out that the bot operator supported many other bots and was probably based in Iraq.
Initially, the bot functioned as an underground market, offering services to cheat views and subscribers in Telegram and Instagram*, spam services and discounts on Netflix subscriptions. However, further investigation of the message history revealed more dangerous activities related to financial fraud and compromise of victims systems.
The discovery of malicious packages and the subsequent investigation of the Telegram bot shed light on a complex cybercrime operation. Initially, a single case of malicious packages turned out to be the tip of the iceberg, opening up the criminal ecosystem. The Checkmarx research team continues to investigate the attack in order to get more information about the attackers methods.
Source
Checmarx specialists found PyPI packages containing malicious script in the file "init.py", which transmits user data to the bot in Telegram.
Malicious packages uploaded by the user "dsfsdfds" turned out to be part of a major cybercrime operation. The main goal of the campaign is to steal confidential user data and transfer it to a Telegram bot associated with cybercriminals from Iraq. The operation has been active since 2022. The Telegram channel with the bot contains more than 90,000 messages in Arabic.
The list of malicious packages on PyPI includes:
- testbrojct2
- proxyfullscraper
- proxyalhttp
- proxyfullscrapers
The malicious script in packages scans the victim's file system, especially the root folder and the DCIM folder. The script searches for files with the extensions ".py", ".php", ".zip", as well as images with the extensions ".png", ".jpg" and ".jpeg". Detected files and their paths in the file system are exfiltrated in Telegram without the user's knowledge.
Hard-coded confidential information, such as the bot's token and chat ID, allowed researchers to obtain data about the infrastructure and operations of cybercriminals. Researchers gained access to the Telegram bot and monitored its activity.
The bot's activity history goes back to 2022, long before malicious packages were released on PyPI. The messages were mostly in Arabic. During the analysis, it turned out that the bot operator supported many other bots and was probably based in Iraq.
Initially, the bot functioned as an underground market, offering services to cheat views and subscribers in Telegram and Instagram*, spam services and discounts on Netflix subscriptions. However, further investigation of the message history revealed more dangerous activities related to financial fraud and compromise of victims systems.
The discovery of malicious packages and the subsequent investigation of the Telegram bot shed light on a complex cybercrime operation. Initially, a single case of malicious packages turned out to be the tip of the iceberg, opening up the criminal ecosystem. The Checkmarx research team continues to investigate the attack in order to get more information about the attackers methods.
Source
