In early November, several malicious packages were reported by Phylum and CheckPoint. We link these two reports to the same attacker with a unique approach to hiding its malicious code.

Checkmarx supply chain security research team tracked the actors behind those attacks as the threat actor “WASP.”

The threat actor is still active and is releasing more malicious packages. We will continuously update the IOC list and packages in this report.

Our team was able to get inside the attacker’s “hall of fame,” where we could see hundreds of successful infections.

As we continued to track and investigate this malicious user and the malicious packages it was uploading, it was discovered that the attacker was using polymorphic malware (the payload changes with every install), reboot persistent, using steganography to hide code inside packages, building a fake GitHub reputation.

The malware is targeted at stealing all the victim’s Discord accounts, passwords, crypto wallets, credit cards, and other interesting files on the victim’s PC, sending them back to the attacker through a hard-coded Discord webhook address.

The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales.

This recent attack shows the importance of sharing threat intel in the open-source ecosystem to better protect against the growing number of attackers.

What’s WASP Stealer

WASP stealer is a discord malware that grabs all the Discord accounts, all the passwords, all the crypto wallets, all the credit cards, and all the interesting files on the victim’s PC and sends them back to the attacker

The makers of WASP claim it is entirely undetectable and is “protected by some awesome obfuscation.”

It has persistency when infected to be enabled at the startup of the pc

The maker of WASP is selling it for $20, where the payment is made with crypto or gift cards.

Bad Guy Strikes Again

As we’ve seen in the past, attackers are lazy and re-use (if they can) their already-made user accounts to launch more of the same attacks under different, unoccupied package names.

In this case, the Python security team was involved and removed the “apicolor” package. The attacker just added an “s” and published “apicolors.”

Later on, that package was also removed, and the attacker tried “colorsapi” and then “colorapi.” All were using the same PyPi user account.

Technical Analysis

After installing the package, the setup.py script is executed, and additional Python packages are installed. One of the packages is judyb, and it provides steganography utilities.

Stage 1 — Steganography

Next, the setup.py script downloads a .png image from this address and saves it in the operating system’s temp directory.

Then, the setup.py script uses the “lsb.reveal” function, which is located in the freshly installed judyb package, to extract a hidden code from the image downloaded.

The majority of the data is base64-encoded. Once decoded, the result is the following:

Stage 2 — Fetching New Code

Once the code in the previous stage is executed, it fetches another piece of code from this URL “hxxp://misogyny[.]wtf/inject/UsRjS959Rqm4sPG4”.

The response code is polymorphic (as we’ll discuss in the next chapter) and highly obfuscated.

The juicy code in this stage is gzip encoded, so the first instruction executed is to decode it and load it. Once this happens: (1) Additional code from “hxxp://misogyny[.]wtf/grab/UsRjS959Rqm4sPG4” is fetched and stored as a file in the operating system’s temp directory with a random name. (2) The code modifies the registry key — `HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun` so that this python code will be persistent across reboots.

Stage 3 — Silent Agent

At this point, the machine is infected, and the persistent script is running in the background. It has inside a modified version of the WASP stealer malware that grabs “all the Discord accounts, all the passwords, all the crypto wallets, all the credit cards, and all the interesting files on the victim’s PC”, said the maker of this campaign, and sends the data back to the attacker’s discord webhook which is hard coded inside as you can see in the image below:

This script also fetches the victim’s geolocation. If you’re interested in inspecting the full decoded payload, we’ve made it available via this gist (just watch out and don’t run it!).

Polymorphic Payload

As mentioned earlier, the attacker has used a polymorphic payload meaning every time 2nd and 3rd stage URLs are loaded, different code will result. An attempt to have his persistent infections unique to stay under the radar.

To illustrate, every time a new request is performed on “hxxp://misogyny[.]wtf/inject/UsRjS959Rqm4sPG4” or “hxxp://misogyny[.]wtf/grab/UsRjS959Rqm4sPG4”, it results with a partially unique server-generated code, as you can see in the image below:

Who’s Behind This?

When inspecting the malicious code and the URLs inside, we found that one URL “hxxp://misogyny[.]wtf:2020/copy” redirects to “hxxps://discord[.]gg/wasp” — an open invitation to join the attacker’s Discord server.

Inside we’ve found a Discord server managed by a single user — the Discord user “Alpha.#0001”.

Looking at this user’s profile, there’s a verified Steam account connected (a popular gaming marketplace), and it appears he used to call himself “zeeckt.” on that Steam account.

Then, we quickly found zeeckt.’s YouTube channel, with show-off videos of him building Discord hacking tools.

Fake GitHub Profiles

As reported by CheckPoint, this attacker is creating many fake users to appear legitimate while stealing the profile description from popular user accounts. In the example below, to the left is the fake profile and to the right is the real profile. Spotting the difference?

The Victim’s Story

I managed to track and chat with one victims of this malware. His name is Mars Shards, a high school student passionate about writing code.

Sadly for Mars, he bumped into one of the attacker’s fake GitHub profiles and thought it is legitimate.

While Mars tried to use the code on GitHub, it didn’t work as expected. a couple of hours later he noticed that something is not right — his Discord user has added automatically to the WASP Discord server and he realized after reading the messages on that server, that he was under attack.

Mars quickly formatted his computer. As frustrated as one can get about falling victim, he made a video to warn other developers to pay attention to this scam.

Inside the Wasp’s Nest

Browsing the Discord server “WASP”, there are hundreds of victims who appear to have been infected by this malware.

For some reason, “Alpha” (the attacker) is trying to sell his malware for $20 in this channel while claiming this is “FUD (fully undetectable)” and providing screenshots of how it looks from the attacker’s POV:

A Cat and a Mouse Game

As our team kept track of this guy’s fingerprint, we swiftly detected his new activities and disclosed them to PyPi, and we kept on his tail as he continued jumping across different user accounts, trying to mess around.

Whenever we take one step forward, attackers also take a step forward. A never-ending fight.

Next Steps?

The attacker claimed yesterday that he’s working on an “exe version.”

And earlier today, he was seen exploiting the ecosystem again with a new identity, PyPi user “halt,” and uploaded Typosquatting packages combined with the Starjacking technique (stealing the stars from another project).

As suspected, these batches of packages download .exe malware, packed with Pyinstaller, and are obfuscated using the same tricks.

As we’re still investigating this, we’ll update this report as soon as possible with new discoveries. Stay tuned. 🙏

Conclusion

The level of manipulation used by software supply chain attackers is increasing as attackers get increasingly more clever.

It seems this attack is ongoing, and whenever the security team of Python deletes his packages, he quickly maneuvers and creates a new identity or simply uses a different name.

The simple and lethal technique of fooling using by creating fake GitHub accounts and sharing poisoned snippets has proven to trick hundreds of users into this campaign.

This is the first time seen polymorphic malware used in software supply chain attacks, and It seems we will experience even more attacks like this.

The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales.

This recent attack shows the impotence of sharing threat intel in the open-source ecosystem to better protect against the growing number of attackers.

List of Packages

The following is the list of malicious packages related to this attacker:

IOC

hxxps://i.imgur[.]com/aRl53RS.png
hxxps://i.imgur[.]com/xbQ1J4D.png
misogyny[.]wtf
hxxp://misogyny[.]wtf/inject/UsRjS959Rqm4sPG4
hxxp://misogyny[.]wtf:8080/
hxxp://misogyny.wtf:2020/copy
hxxp://misogyny[.]wtf/grab/UsRjS959Rqm4sPG4
hxxp://misogyny.wtf:2020/parser
hxxps://cdn[.]discordapp[.]com/attachments/1039182045575925784/1039513531667726336/UPDATE.exe
hxxps://cdn[.]discordapp[.]com/attachments/1039182045575925784/1039513532061978685/FEED.exe