HQ/EMEAFind out how we can help your business
Cybercriminals are using Stack Overflow as a vector to deploy malware. Based on reports, these hackers leverage this platform by answering users’ questions while they promote a malicious PyPi package that installs Windows infostealing spyware.
Threat actors published this PyPi package, ‘pytoileur,’ to the PyPi repository last week and endorsed it as an API administration tool. Moreover, these campaigns capitalise on typosquatting capabilities, as the malicious programs included are marketed with names similar to other popular packages.
However, the threat actors used a different strategy with this package as they addressed questions on Stack Overflow and advertised the package as a solution.
Stack Overflow is a well-known platform for developers of various skill levels to ask and answer questions.
The malicious campaign on Stack Overflow utilised the pytoileur package that includes a’setup.py’ file that pads a base64 encoded command to run with spaces, making it hidden until a target enables word wrap in its IDE or text file editor.
In addition, this command downloads and launches the executable ‘runtime.exe’ from a remote server when deobfuscated.
Researchers explained that this executable is a Python program converted into an.exe file and is used as infostealing malware that could collect cookies, passwords, browsing history, credit cards, and other data from web browsers.
Furthermore, the researchers noticed that the payload appears to scan for specific terms in documents. If it finds these specific details, it becomes the main priority of the heist. Next, this stolen information is transmitted back to the perpetrators so they can sell it on dark web markets or use it to access the victim’s other accounts.
Malicious PyPi packages and information stealers on these repositories are not new for users. However, this new method for fraudsters posing as helpful contributors on Stack Overflow is intriguing because it allows them to exploit the site’s confidence and authority in the coding community.
Therefore, the community on this platform should always remember that fraudsters continuously change strategies, which demonstrates why a user should never immediately trust anything online.
Instead, developers must validate the source of all packages they add to their projects. Even if the source appears trustworthy, they must verify the legitimacy and safety of the code to identify strange or obfuscated commands not necessary for such packages.
