Threat Research

StackExchange Exploited to Distribute Malicious Python Package

Securonix

Researchers uncovered a multi-stage campaign distributing the malicious Python package spl-types on PyPI, aimed at Raydium and Solana users. The attackers used StackExchange to promote the package, exfiltrated browser and wallet data, and maintained persistence via a backdoor. #spl-types #Raydium #Solana #PyPI #StackExchange

Keypoints

  • Malicious Python packages targeting cryptocurrency users were uploaded to PyPI.
  • The campaign began with an innocuous package to establish credibility.
  • Multiple malicious versions were released, including obfuscated code in the init.py file.
  • The malware exfiltrated sensitive data, including browser data and cryptocurrency wallet information.
  • Windows Virus and Threat Protection failed to detect the malware during active data exfiltration.
  • A backdoor component allowed persistent remote access to victims’ systems.
  • The attacker exploited StackExchange to promote their malicious package, indicating a targeted financial motive.
  • The incident underscores the need for stronger software supply chain security and third-party vetting.

MITRE Techniques

  • [T1195] Supply Chain Compromise – The attacker used community-driven platforms to promote malicious packages. Quote: “Utilized community-driven platforms to promote malicious packages.”
  • [T1059] Command and Scripting Interpreter – Malicious scripts were executed upon package installation. Quote: “Executed malicious scripts upon installation of the package.”
  • [T1053] Persistence – A backdoor was installed for ongoing access to victim systems. Quote: “Installed a backdoor for ongoing access to victim systems.”
  • [T1041] Exfiltration – Data was exfiltrated to the attacker’s C2 server. Quote: “Exfiltrated sensitive data to the attacker’s command and control server.”
  • [T1003] Credential Access – Saved passwords, cookies, and cryptocurrency wallet information were harvested. Quote: “Harvested saved passwords, cookies, and cryptocurrency wallet information.”

Indicators of Compromise

  • [URL] context – ipfs.io/ipfs/QmQcn1grVAFSazs31pJAcQUjdwVQUY9TtZFHgggFBN6wYQ, and 2 more similar delivery URLs (e.g., rentry.co/7hnvbc6n/raw)
  • [URL] context – api.telegram.org/bot6875598996:AAGATybCyN73i3als0VRGlP8cILsFjKf4ao/sendDocument?chat_id=7069869729, and 1 more like api.telegram.org/bot7265790107:AAE9XT3b23WyBHq-0fw5BwW5U7wzYNZT3cc/sendDocument?chat_id=7069869729
  • [IP] context – 147.45.44.114
  • [URL] context – rentry.co/foyntbdk/raw, and rentry.co/xcsshmno/raw, and rentry.co/2p7kv9d8/raw
  • [File name] context – spl-types, raydium, sol-structs, raydium-sdk, sol-instruct

Read more: https://checkmarx.com/blog/stackexchange-abused-to-spread-malicious-python-package-that-drains-victims-crypto-wallets/