Users donate their data using other people's advice.
Attackers have found a new way to distribute malware through Stack Overflow – When answering user questions, hackers recommend installing a malicious PyPI package that infects computers and steals confidential information.
Sonatype has discovered a new malicious PyPI package associated with the already well-known "Cool package" campaign. The campaign, which began last year, targets Windows users and uses a package called "pytoileur".
The package was uploaded by attackers to the PyPI repository under the guise of an API management tool. Notably, the package has a "Cool package" signature indicating that it is part of the current campaign.
Malicious PyToileur package
Cybercriminals use the Typosquatting method, giving malicious packages names similar to popular names, to deceive users. This time, the attackers went further, starting to promote their package through answering questions from Stack Overflow users, presenting the package as a solution for various problems.
EstAYA G user's response to the problem promoting the malicious package
Stack Overflow is one of the largest platforms for programmers, which makes it an ideal environment for distributing malware disguised as useful tools and libraries.
The "pytoileur" package contains the file "setup.py", which hides a base64-encrypted command by adding spaces, making it invisible unless you enable word wrap in a text editor.
Confusing command to execute in setup.py
After deobfuscation, the command downloads and executes the executable file "runtime.exe" from a remote site. The file is actually a Python program converted to ".exe" and performs the functions of a styler.
The malware collects cookies, passwords, browser history, credit card data, and other information from web browsers. It also searches for specific phrases in documents and steals data when they are detected. All collected information is sent back to the attackers, who can sell it on the darknet or use it to further hack into the victims accounts.
Although malicious packages and infostillers are nothing new, this strategy of cybercriminals posing as participants on Stack Overflow deserves special attention. This method allows you to use the trust and authority of the platform in the developer community.
Attackers have found a new way to distribute malware through Stack Overflow – When answering user questions, hackers recommend installing a malicious PyPI package that infects computers and steals confidential information.
Sonatype has discovered a new malicious PyPI package associated with the already well-known "Cool package" campaign. The campaign, which began last year, targets Windows users and uses a package called "pytoileur".
The package was uploaded by attackers to the PyPI repository under the guise of an API management tool. Notably, the package has a "Cool package" signature indicating that it is part of the current campaign.
Malicious PyToileur package
Cybercriminals use the Typosquatting method, giving malicious packages names similar to popular names, to deceive users. This time, the attackers went further, starting to promote their package through answering questions from Stack Overflow users, presenting the package as a solution for various problems.
EstAYA G user's response to the problem promoting the malicious package
Stack Overflow is one of the largest platforms for programmers, which makes it an ideal environment for distributing malware disguised as useful tools and libraries.
The "pytoileur" package contains the file "setup.py", which hides a base64-encrypted command by adding spaces, making it invisible unless you enable word wrap in a text editor.
Confusing command to execute in setup.py
After deobfuscation, the command downloads and executes the executable file "runtime.exe" from a remote site. The file is actually a Python program converted to ".exe" and performs the functions of a styler.
The malware collects cookies, passwords, browser history, credit card data, and other information from web browsers. It also searches for specific phrases in documents and steals data when they are detected. All collected information is sent back to the attackers, who can sell it on the darknet or use it to further hack into the victims accounts.
Although malicious packages and infostillers are nothing new, this strategy of cybercriminals posing as participants on Stack Overflow deserves special attention. This method allows you to use the trust and authority of the platform in the developer community.
