By rssfeeds-admin Security researchers have linked the attack to the same threat group previously behind fake recruiter-themed social engineering campaigns targeting victims’ cryptocurrency information earlier this year.
The malicious package impersonates the well-known “pyspellchecker” module, which has over 18 million downloads. Although the fake version has only been downloaded around 950 times, it poses a significant supply-chain threat to Python developers who unknowingly install malicious dependencies.
Multi-Stage Backdoor Functionality
The attack uses a layered infection process to evade static analysis and detection. In the first stage, the malicious code hides in an encoded index file named ma_IN.index. Upon installation, the script executes code from this hidden file using Base64 decoding through the following function call:
text
decoded_index = base64.b64decode(encoded_index).decode(“utf-8”)
exec(decoded_index)
This triggers a remote request to the attacker’s command-and-control (C2) server at dothebest.store/allow/inform.php, which delivers another encoded payload. The decoded script then opens a new subprocess that downloads and executes the second-stage malware.
The second stage establishes persistent communication with dothebest.store/refresh.php, functioning as a Remote Access Trojan (RAT). It uses custom encryption and XOR obfuscation for network communications and employs Base64 encoding to bypass static detection tools.
Once active, the RAT can receive remote commands and execute arbitrary Python code via the exec() function, granting the attacker complete remote control of the compromised system.
Infrastructure and Attack Motive
Analysis of the C2 infrastructure shows substantial overlap with previous fake-recruiter campaigns tied to cryptocurrency theft. Those earlier campaigns tricked victims via social media messages that appeared to be job offers, eventually delivering malware that stole information.
In this latest variant, the attackers have expanded their attack surface by infiltrating the supply chain via PyPI, one of the most widely used Python repositories in the developer ecosystem.
The malicious component’s code employs XOR-based encryption routines, dual-layer payload decryption, disguised protocol formats, and exception suppression to hinder analysis and detection. This sophisticated approach allows the malware to function silently until the attacker issues remote commands.
Researchers recommend that developers verify dependencies carefully and avoid unverified packages with similarly named substitutes. Removing spellcheckers immediately, reviewing system processes, and resetting compromised API keys or cryptocurrency wallets is advised.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Cybercriminals Deploy Infected PyPI Package to Attack Users and Capture Crypto Details appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.