FOCUS MODE
EXTRACT IOC
Threat Research

Malicious PyPI Package Targets WooCommerce Stores with Automated Carding Attacks

admin
Malicious PyPI Package Targets WooCommerce Stores with Automated Carding Attacks
The Socket research team uncovered a malicious Python package named disgrasya on PyPI, designed to automate carding attacks against WooCommerce stores using CyberSource as a payment gateway. This openly malicious tool facilitates the testing of stolen credit card numbers, allowing low-skilled fraudsters to simulate transactions without raising fraud detection alarms. Affected: PyPI, WooCommerce, CyberSource

Keypoints :

  • Discovery of the disgrasya package, which automates carding attacks specifically targeting WooCommerce stores.
  • This package was downloaded over 34,860 times, highlighting its popularity among fraudsters.
  • The carding script performs automated tests using stolen credit card data without appearing to be nefarious.
  • Carding attacks exploit weaknesses in online payment systems, estimating global losses of 2 billion by 2028.
  • Mitigation measures for merchants include implementing fraud protection and monitoring unusual transaction patterns.

MITRE Techniques :

  • Initial Access — T1195.002 — Supply Chain Compromise: Compromise Software Dependency – disgrasya was uploaded to PyPI for distribution.
  • Credential Access — T1056 — Input Capture / Credential Collection – The script collects credit card information during transactions.
  • Collection — T1213 — Data from Information Repositories (Web App Tokens) – It gathers tokens like CSRF nonce and capture_context from the WooCommerce checkout page.
  • Command and Control — T1071.001 — Application Layer Protocol: Web Protocols (HTTPS) – Data exfiltration occurs over secure HTTPS connections to the attacker’s server.
  • Defense Evasion — T1027 — Obfuscated Files or Information – The malicious operations are embedded in a seemingly valid library.
  • Execution — T1204.002 — User Execution: Malicious Script Execution – The carding script executes user simulation workflows typical of normal transactions.
  • Exfiltration — T1041 — Exfiltration Over C2 Channel – Credit card data is sent to an external server for the attacker to analyze.
  • Impact — T1657 — Theft of Money / Fraudulent Transactions – Successful tests define which stolen cards can be used for fraudulent purchases.

Indicator of Compromise :

  • [Malicious Domain] railgunmisaka[.]com
  • [URL] hxxps://www[.]railgunmisaka[.]com/cybersourceFlexV2
  • [Package Name] disgrasya
  • [Malicious Versions] 7.36.9 and above

Full Story: https://socket.dev/blog/malicious-pypi-package-targets-woocommerce-stores-with-automated-carding-attacks

Views: 43

Tags: COLLECTION, PAYLOAD, DISCOVERY, EXPLOIT, CREDENTIAL, TOOL, PROXY, EXFILTRATION