Sonatype uncovered a counterfeit PyPI package named crytic-compilers that imitates crytic-compile and secretly steals cryptocurrency, highlighting a supply-chain abuse of open-source components. The report also profiles Lumma/ Lummac2 Windows stealer with its C2 domains, MaAS distribution, and multiple infection vectors including trojanized apps, phishing, drive-by updates, and browser-credential theft. #crytic-compilers #crytic-compile #Lumma #LummaC2 #s.exe #Shamel #PyPI
Keypoints
- Counterfeit crytic-compilers on PyPI mimics crytic-compile and appeared to target crypto developers, with 436 downloads before takedown.
- The counterfeit aligns its version numbers with the legitimate library to appear newer, ending at 0.3.11 vs 0.3.7.
- Some versions (e.g., 0.3.9) try to install the real library to avoid suspicion, via setup.py.
- The Windows payload s.exe includes anti-detection/stealth techniques and drops executables while accessing the registry.
- Lumma/LummaC2 is a Windows crypto-wallet stealer with C2 infrastructure, including domains and IPs, Cloudflare protection, and geo-blocks.
- The threat actor “Shamel” and Maas model distribute Lumma via trojanized apps, phishing YouTube creators, pirated games, and drive-by updates; drive-by downloads push fake browser updates.
- Sonatype Repository Firewall blocks counterfeit components like crytic-compilers, helping protect software supply chains.
MITRE Techniques
- [T1195] Supply Chain Compromise – Counterfeit PyPI package ‘crytic-compilers’ typosquats a legitimate library and is installed via setup.py to drop malware. “Some versions of the counterfeit component (e.g. 0.3.9) will even attempt to ‘install’ the real library (‘crytic-compile’) to avoid suspicion (line 5 of ‘setup.py’).”
- [T1036] Masquerading – The counterfeit library is named after the legitimate ‘crytic-compile’ library, deceiving users into installing it. “in addition being named after the legitimate Python utility, ‘crytic-compile’, it aligns its version numbers with the real library.”
- [T1112] Modify Registry – The Windows component ‘s.exe’ “drops suspicious executables and accesses Windows registry settings.”
- [T1562.001] Impair Defenses – The malware employs anti-detection and stealth techniques to deter analysis. “anti-detection and stealth techniques to deter analysis by researchers and malware sandboxes alike.”
- [T1071.001] Web Protocols – The binary connects to a set of domains and IPs with an active ‘/api’ endpoint. “domains… have an active ‘/api’ endpoint”
- [T1189] Drive-by Compromise – Drive-by downloads to ship fake browser updates on compromised or illicit websites. “drive-by downloads to ship fake browser updates on compromised or illicit websites.”
- [T1566.001] Phishing – Phishing emails to YouTube content creators as a distribution method. “phishing emails to YouTube content creators.”
- [T1555.003] Credentials from Web Browsers – The Lumma stealer looks for browser passwords and crypto wallets and exfiltrates them. “looks for browser passwords, crypto wallets, and exfiltrates this information to threat actors.”
Indicators of Compromise
- [Domain] context – acceptabledcooeprs.shop, boredimperissvieos.shop, holicisticscrarws.shop, miniaturefinerninewjs.shop, obsceneclassyjuwks.shop, plaintediousidowsko.shop, sweetsquarediaslw.shop, zippyfinickysofwps.shop
- [IP] context – 104.21.59.156, 172.67.186.30, and 6 more IPs associated with the C2 domains
- [File] s.exe – malicious Windows executable used by Lumma stealer
Read more: https://www.sonatype.com/blog/crytic-compilers-typosquats-known-crypto-library-drops-windows-trojan