Threat Research

Cyble – New KEKW Malware Variant Identified In PyPI Package Distribution

Securonix

Cyble Research and Intelligence Labs (CRIL) uncovered a KEKW malware variant spreading via malicious PyPI wheel packages, combining stealer and clipper capabilities to harvest browser data and hijack cryptocurrency transactions. Python security teams quickly removed the malicious packages within 48 hours, likely limiting impact. #KEKW #kekwltd.ru #blackcap.ru #CRIL #Cyble #PyPI

Keypoints

  • KEKW is a new stealer/clipper malware variant identified in PyPI wheel packages distributed to developers.
  • Dozens of suspicious Python wheels were observed (e.g., pythonsqlitetool-1.0.0, pipsqlpackageV2-1.0.0, etc.), not present in PyPI and removed by Python’s security team within 48 hours.
  • KEKW combines information theft (browsers, wallets, tokens) with clipper functionality to substitute cryptocurrency addresses in real-time.
  • The campaign includes hardcoded anti-VM checks, process termination of security-related processes, startup persistence, and extensive system information collection.
  • Bitcoin wallet activity linked to one address appears in many packages; domains kekwltd.ru and occasional blackcap.ru are tied to the actor’s infrastructure.
  • This illustrates a supply-chain style risk via compromised Python packages and underscores the need for secure software distribution practices.

MITRE Techniques

  • [T1547] Persistence – The KEKW malware sets up a startup entry to achieve persistence, allowing it to execute automatically whenever the victim logs in to their computer using the function startupkekw(). “The KEKW malware sets up a startup entry to achieve persistence, allowing it to execute automatically whenever the victim logs in to their computer using the function startupkekw().”
  • [T1056] Credential Access – The primary objective is to retrieve sensitive information from the target’s web browser, including passwords, cookies, histories, credit card details, tokens, and profiles. “The primary objective of the malicious Python script is to retrieve sensitive information from the target’s web browser, which includes: Passwords, Cookies, Histories, Credit card details, Tokens, Profiles.”
  • [T1057] Process Discovery – The malware checks for security-related processes and terminates them. “The malware checks to determine if any security-related processes are running on the target’s system. If it identifies such processes, it terminates them.”
  • [T1082] System Information Discovery – It collects extensive system information (username, computer name, Windows key/version, RAM, HWID, IP, location, etc.). “collect system-related data such as login username, computer name, Windows product key and version, RAM capacity, HWID, IP address, geographic location, Google Maps information, and more.”
  • [T1005] Data from Local System – Data is gathered from the local machine as part of the theft process. “Data from Local System” (as implied by the data collection and browser/grabber activities).
  • [T1071] Application Layer Protocol – Exfiltration of stolen data to the C2 server (kekwltd.ru) after JSON formatting and ZIP compression. “upload the compressed archive to the command and control (C&C) server.”
  • [T1047] Windows Management Instrumentation – The article’s MITRE mapping lists Windows Management Instrumentation under Execution (User Execution Windows Management Instrumentation). “Execution: User Execution Windows Management Instrumentation.”

Indicators of Compromise

  • [Domain] kekwltd.ru – Exfiltration/C2 infrastructure used by KEKW campaign – example domains appearing in the article (and 2 more domains mentioned: blackcap.ru).
  • [Domain] blackcap.ru – Related TA infrastructure observed in the same campaign.
  • [File Name] pipcoloringsextV1-1.0.0-py3-none-any.whl – Malicious wheel package name observed in IOCs.
  • [File Name] pipcolourpackagesV2-1.0.0-py3-none-any.whl – Additional malicious wheel package observed.
  • [File Hash] 1cc87ac9d9066a9829e4245fd86d4cfc – Example hash for a malicious wheel; associated filename: pipcoloringsextV1-1.0.0-py3-none-any.whl.
  • [File Hash] b449b53a50d80ccfaba259ce98424d3f8e4b2c85 – Example hash for another malicious wheel; associated filename: pipcoloringsextV1-1.0.0-py3-none-any.whl.
  • [File Hash] 7167f3c8f24eebc374ecf4d132fc5e2ff681d208a3b02ab5547f488698d2fffc – Another sample hash from the IOC list.
  • [URL] hxxps[:]//kekwltd[.]ru – Exfiltration/C2 URL used by the malware to send data.

Read more: https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/