Trojan Embedded in crytic-compilers Python Package Targets Popular Blockchain Utility

Summary:
The Socket Research Team has uncovered a malicious Python package named ‘crytic-compilers’ that is a result of a typosquatting attack. This package masquerades as a legitimate tool for smart contract compilation but contains a trojan executable that targets Windows systems. The incident highlights the risks associated with open-source package registries and the need for vigilant monitoring.
#Typosquatting #PythonSecurity #MaliciousPackages

Keypoints:

  • Malicious behavior identified in the Python package ‘crytic-compilers’ on PyPI.
  • The package is a typosquatting variant of the legitimate ‘crytic-compile’ used for smart contract compilation.
  • It has been downloaded approximately 6,000 times daily, indicating its popularity in the crypto development community.
  • The malicious package executes a trojan named ‘s.exe’ on Windows systems.
  • 465 repositories depend on ‘crytic-compile’, showcasing its significance.
  • The malicious script conditionally executes the trojan based on the operating system.
  • The trojan ‘s.exe’ has been flagged by multiple antivirus engines on VirusTotal.
  • Continuous monitoring of packages is essential to protect the software supply chain.

  • MITRE Techniques:

  • Execution (T1203): The malicious package executes a trojan on Windows systems.
  • Command and Control (T1071): The package attempts to download ‘crytic-compile’ from its GitHub repository while executing malicious payloads.
  • Defense Evasion (T1203): The script checks the operating system to conditionally execute the trojan, evading detection on non-Windows platforms.

  • IoC:

  • [File Name] s.exe
  • [File Hash] b09ef792135fd0896ce7eb57638ea9199f1ae37f4a374398198a54bd84e2a5a2


  • Full Research: https://socket.dev/blog/trojan-embedded-in-crytic-compilers-python-package