Summary:
Researchers at Fortinet uncovered a Python Package Index (PyPI) malware author who goes by the ID “WS” uploading malicious packages to PyPI, designed to infect developers with WhiteSnake Stealer. Several packages were identified including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, which researchers estimate to have impacted over 2000 victims. All of these packages incorporate Base64-encoded source code of PE or other Python scripts. If executed on Windows systems, the packages will execute WhiteSnake Stealer, while a Python scrip designed to harvest information is initiated on Linux systems.

Security Officer Comments:
The latest packages uncovered are similar to those employed in a malicious campaign from early 2023, indicating that this actor has been in operation for quite some time.

For its part, WhiteSnake Stealer is designed to steal information from the victim environment, including host info as well as data from web browsers, cryptocurrency wallets, and apps including WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram. Researchers note data gathered by the stealer is exfiltrated to a C&C server via the Tor protocol. A notable feature about the info stealer is that it comes with a Anti-VM mechanism, designed to avoid execution in Virtual environments.

Suggested Corrections:
Although open-source repositories like PyPI are designed to help end users develop or update applications more quickly, we are seeing a continued increase in threat actors uploading malicious packages to this repository to compromise victims and steal sensitive data. As a precaution users should be more careful when using open-source packages, checking for malicious content or payloads that may render targeted devices susceptible to information theft.

IOCs:
https://www.fortinet.com/blog/threat-research/info-stealing-packages-hidden-in-pypi

Link(s):
https://thehackernews.com/2024/01/malicious-pypi-packages-slip-whitesnake.html