Summary:
ReversingLabs detected a malicious Python package named aiocpa, designed to compromise cryptocurrency wallets. Unlike typical attacks, this campaign involved the publication of a legitimate-looking crypto client tool that later delivered malicious updates. The incident highlights the growing sophistication of supply chain threats in open-source software. #SoftwareSupplyChain #ThreatHunting #OpenSourceSecurity
ReversingLabs detected a malicious Python package named aiocpa, designed to compromise cryptocurrency wallets. Unlike typical attacks, this campaign involved the publication of a legitimate-looking crypto client tool that later delivered malicious updates. The incident highlights the growing sophistication of supply chain threats in open-source software. #SoftwareSupplyChain #ThreatHunting #OpenSourceSecurity
Keypoints:
ReversingLabs identified the aiocpa package containing malicious code targeting cryptocurrency wallets.
The malicious package was reported to the Python Package Index (PyPI) and subsequently removed.
Attackers used a unique approach by publishing a legitimate-looking crypto client tool instead of impersonating existing packages.
Machine learning-based threat hunting was crucial in detecting the malicious behavior in the package.
Obfuscated code was found in the package, designed to exfiltrate sensitive information to a remote Telegram bot.
Malicious actors attempted to take over an existing PyPI project to exploit its user base.
Security assessments of third-party packages are essential to prevent supply chain attacks.
Advanced security tools like RL Spectra Assure provide deeper insights into software supply chain security risks.
The incident underscores the increasing complexity and sophistication of open-source software security threats.
MITRE Techniques:
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Data Exfiltration Over Command and Control Channel (T1041): Exfiltrates sensitive information through established command and control channels.
Obfuscated Files or Information (T1027): Employs obfuscation techniques to hide malicious code and evade detection.
Supply Chain Compromise (T1195): Targets software supply chains to introduce malicious code into legitimate software.
IoC:
[File Name] aiocpa
[Version] 0.1.13
[SHA1] a1187d2a4acfe8ddaee3c7be79a9bb838142903a
[SHA1] 7007be259829d72e73ff63ad409770ca56cfc418
[Version] 0.1.14
[SHA1] fc36c157075dd4302f71ed2660e19a61016b085c
[SHA1] 01f7db47368bffa279fb15c688518774454650cf
Full Research: https://www.reversinglabs.com/blog/malicious-pypi-crypto-pay-package-aiocpa-implants-infostealer-code