Official programming language repositories continue to be the target of phishing attacks, with attackers simulating the look and features of legitimate software to distribute viruses. The ball of the moment, again, is PyPI, which delivers solutions for Python, used to spread a malicious edition of known toolkits, now aimed at stealing data from developers and companies.
In the campaign, criminals try to impersonate the developers of aiotools, which brings together different resources and utilities for programmers. With a similar name, aiotoolsbox, they effectively deliver the functionality desired by those who download it, but accompanied by malware aimed at stealing personal information, such as system access secrets or credentials.
The operation caught the attention of Check Point Research experts, who released the alert, for the complete copy of the solution, while most scams of this type are limited to using only names and other official information. According to the security company, it is also notable that the account used by criminals was originally created in 2019, with malicious packages only now being published – an indication that this was a legitimate profile, which ended up being compromised by hackers. bandits.
Other methods of hiding malicious activities are also used, such as hosting malware downloaded in parallel on servers that also try to simulate official services for the Python language. Obfuscated codes are also present in the solution to make it difficult to detect by manual and automatic analysis, while the fragments used to install the pest are deleted after the infection is complete, leaving less traces.
The Check Point team also found a second package, published by another profile, but apparently linked to the campaign. The async-proxy solution, focused on data synchronization, does not try to simulate legitimate tools, but downloads the malicious edition of aiotools, contaminating users interested in it and exposing them to the same development data theft operation.
According to the researchers, the malicious packages also received multiple updates, with modifications to configuration files and frameworks. It also changed the origin IP of the connections, initially Russian and later German, also a way to hide the activities, since the first address can draw more attention than the second in a network monitoring.
According to Check Point, the alert is about the use of false solutions of this type in scams against the supply chain. By downloading malicious tools, developers can compromise their projects and, from them, take malware to more professionals, companies and, finally, users, with the exploitation chain taking on greater airs than its original spread.
Because of this, caution is advised when downloading packages from PyPI and other code repositories. The ideal is to look for profiles of well-known and legitimate developers, who provide constant support and have ratings and comments from other users; avoiding new accounts or those with few publications, for example, helps to maintain security in software production.
