Summary:
ReversingLabs detected a malicious Python package named aiocpa, designed to compromise cryptocurrency wallets. Unlike typical attacks, this campaign involved the publication of a legitimate-looking crypto client tool that later delivered malicious updates. The incident highlights the growing sophistication of supply chain threats in open-source software. #SoftwareSupplyChain #ThreatHunting #OpenSourceSecurity
ReversingLabs detected a malicious Python package named aiocpa, designed to compromise cryptocurrency wallets. Unlike typical attacks, this campaign involved the publication of a legitimate-looking crypto client tool that later delivered malicious updates. The incident highlights the growing sophistication of supply chain threats in open-source software. #SoftwareSupplyChain #ThreatHunting #OpenSourceSecurity
Keypoints:
- ReversingLabs identified the aiocpa package containing malicious code targeting cryptocurrency wallets.
- The malicious package was reported to the Python Package Index (PyPI) and subsequently removed.
- Attackers used a unique approach by publishing a legitimate-looking crypto client tool instead of impersonating existing packages.
- Machine learning-based threat hunting was crucial in detecting the malicious behavior in the package.
- Obfuscated code was found in the package, designed to exfiltrate sensitive information to a remote Telegram bot.
- Malicious actors attempted to take over an existing PyPI project to exploit its user base.
- Security assessments of third-party packages are essential to prevent supply chain attacks.
- Advanced security tools like RL Spectra Assure provide deeper insights into software supply chain security risks.
- The incident underscores the increasing complexity and sophistication of open-source software security threats.
MITRE Techniques:
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Data Exfiltration Over Command and Control Channel (T1041): Exfiltrates sensitive information through established command and control channels.
- Obfuscated Files or Information (T1027): Employs obfuscation techniques to hide malicious code and evade detection.
- Supply Chain Compromise (T1195): Targets software supply chains to introduce malicious code into legitimate software.
IoC:
- [File Name] aiocpa
- [Version] 0.1.13
- [SHA1] a1187d2a4acfe8ddaee3c7be79a9bb838142903a
- [SHA1] 7007be259829d72e73ff63ad409770ca56cfc418
- [Version] 0.1.14
- [SHA1] fc36c157075dd4302f71ed2660e19a61016b085c
- [SHA1] 01f7db47368bffa279fb15c688518774454650cf
Full Research: https://www.reversinglabs.com/blog/malicious-pypi-crypto-pay-package-aiocpa-implants-infostealer-code