Cybersecurity researchers from Fortinet’s FortiGuard Labs found nine packages delivering the WhiteSnake Stealer. The packages are called nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. WhiteSnake is a Windows infostealer, capable of working around antivirus programs, and communicates with the C2 server via the Tor protocol, the researchers explained.
Its main function is to steal information from the compromised endpoints, and execute various commands. The information it’s after is mostly data from web browsers, cryptocurrency wallets and browser add-ons, and important apps such as Discord, Signal, Telegram, and similar.
Eyes on cryptos
Some of the packages were also observed carrying a more advanced version of the malware that also comes with a clipboard monitor and an overwrite feature. This feature is designed to assist in cryptocurrency theft, as people wanting to send their tokens from one address to another will almost always copy and paste the receiving address, instead of typing it out. With this malware, the attackers can replace the copied wallet address with one belonging to them, having the victim send their funds to the wrong address.
PyPI is one of the world’s largest and most popular Python package repositories. As such, it’s a frequent target by threat actors who mostly do two things: either create an entirely new malicious package, or engage in typosquatting - creating a package similar to a legitimate one, and naming it almost exactly the same. That way, the developers can mistakenly install the malicious one.
Developers are urged to be vigilant when using PyPI and similar services and always make sure they’re downloading a legitimate package. They should look out for strange typos, inconsistent download numbers, and user reviews.
Via The Hacker News
More from TechRadar Pro
- More PyPI packages stealing data have been discovered
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.