PyPi Malware Detection: Stealing Discord Tokens to Spread Malware

Earlier this month, security researchers identified PyPi malware that exfiltrated users’ credentials, apps’ cookies, and history, along with other sensitive data. The research data indicates that adversaries upload malicious packages to The Python Package Index (PyPI) – a vast repository of open-source Python packages. The goal is to dupe the users into downloading them by offering bogus functionalities and Roblox tools. In reality, the malware attempts to steal stored data. When executed, it targets browsers such as Google Chrome, Firefox, and Opera; it also compromises Discord, injecting a persistent malicious agent into the app’s processes.

Detect PyPi Malware

To help organizations better protect their infrastructure, our keen Threat Bounty developer  Aytek Aytemur has recently released the dedicated Sigma rule that enables effortless PyPi malware detection. Security teams can download this and other relevant rules from SOC Prime’s Detection as Code platform:

New PyPi Malware (via process_creation)

The rule is aligned with the MITRE ATT&CK® framework v.10, addressing the Defense Evasion and Execution tactics with Masquerading (T1036) and Scheduled Task/Job (T1053) as the primary techniques.

Hit the View in SOC Prime Platform button to access a vast library of cyber threat detection content. All rules are mapped to the MITRE ATT&CK framework, thoroughly curated and verified. SOC professionals looking to comb through their organization’s security data with better efficiency are welcome to leverage the benefits of the industry-first search engine for Threat Hunting, Threat Detection, and Cyber Threat Intelligence. To give the tool a go, press the Drill Down to Search Engine button.

View in SOC Prime Platform Drill Down to Search Engine

Pypi Malware Analysis

PyPi is highly popular among both large and small orgs open source repository. Threat actors leverage the platform’s popularity among millions of users to distribute malicious packages mimicking legit offers that benefit Python-based projects.

In the current tidal wave of attacks that use the repository as their launch point, adversaries employ different approaches to plant their malware. In the case of the distribution of the malicious package aimed at Windows hosts, the activated malware is used to steal available data and hijack Discord resources to download more executables. The names of the weaponized packages are the following: Free-net-vpn and Free-net-vpn2, Test-async, Ascii2text, Pyg-utils, Pymocks, PyProto2, Zlibsrc, WINRPCexploit, and Browserdiv. Researchers warn that even though they were removed from the repository, many users still might be storing the packages within their systems.

More reports of adversaries leveraging PyPI to distribute elaborate threats have been recently piling up. Illicit planting of cryptominers, as a tried-and-true way to infect victim systems, is currently on the rise. 

SOC Prime offers indispensable solutions to help businesses sustain hard-to-breach systems’ protection. Are you eager to join forces with industry leaders and share your Sigma and YARA rules to make the world safer? Join our Threat Bounty Program to get recurrent rewards for your valuable input!