Trouble in Da Hood: Malicious Actors Use Infected PyPI Packages to Target Roblox Cheaters | Imperva

In recent research on compromised and malicious PyPI packages, Imperva Threat Research has identified an ongoing malware campaign specifically targeting Roblox hackers. Over time, vast communities have assembled on various platforms such as Reddit, YouTube, and Discord, allowing players to exchange tips and tools on mods and cheats for various game environments. We observed from the history of ‘main.py’ in the ‘Zwerve-External’ Repository, that the maintainer regularly updated the code to use various different malicious PyPi packages. One example of this, Da Hood, is a game within the Roblox framework, which takes place in a gang subculture environment, where players can choose to become a police officer or a criminal, participating in or combating gang activities. Although some of these programs offer legitimate game boosts, malicious actors frequently leverage these game hackers’ interest in modifications to deliver malware. Malicious actors can use popular gaming platforms, forums, and communities to spread viruses and malware such as stealers, RATs, and cryptominers. Game hackers are often encouraged to disable AV and real-time protection in order to allow cheats to run, making them even more susceptible to malware infection, as we will see in our example later. Upon investigation, we discovered that the package downloads a binary file called ‘zwerve.exe’. When we examined the GitHub repository hosting this binary, we noticed that the repository maintainer has been repeatedly adding and removing the binary file every few days. The Skuld Stealer is a Go-written malware targeting Windows systems, designed to extract sensitive data from Discord, browsers, and cryptocurrency wallets. Many gamers, including Roblox (and Da Hood) players, opt to install cheats (‘externals’), hacks, and modifications (‘mods’) to enhance their gaming experience. Mods can change the way a game looks or behaves, whereas cheats may allow the player to gain certain advantages during game play, such as “aimlock”, which enhances accuracy in shooter games. It also targets Discord users by capturing 2FA codes and intercepting login requests, while extracting data from cryptocurrency wallets and replacing clipboard content with malicious crypto addresses. These tools are often created for educational and research purposes, demonstrating how malicious tools can be used to steal secrets and gain remote access to systems. The ‘Zwerve-External’ repository is presented as an open-source cheat tool (external) designed to enhance the gaming experience for Da Hood players. The actions of adding and deleting the binary file “zwerve.exe” from the repository could indicate an attempt to evade detection by static or automated analysis tools. Upon closer examination, we observed that the ‘main.py’ file was being frequently updated with different malicious packages. Roblox is a popular online gaming platform and creation system that allows users to play or create multiplayer games. One such example can be found in the game hacking community surrounding the popular video game Roblox. Eventually, we came across a GitHub repository named ‘Zwerve-External’, that was actively using the ‘pysleek’ malicious package. It has been well documented that the installation of such cheats and mods can leave gamers exposed to malware infection. In this blog, we shed light on this campaign and the evolving tactics cybercriminals use to target game hacking communities. This duality highlights the challenge of balancing open research with the risk of empowering cybercriminals, as tools meant to improve security are often weaponized against unsuspecting users. At this stage, we wanted to investigate whether there were other malicious packages exhibiting the same behavior, and we discovered five more.

This Cyber News was published on www.imperva.com. Publication date: Tue, 01 Oct 2024 00:43:05 +0000


Cyber News related to Trouble in Da Hood: Malicious Actors Use Infected PyPI Packages to Target Roblox Cheaters | Imperva

Trouble in Da Hood: Malicious Actors Use Infected PyPI Packages to Target Roblox Cheaters | Imperva - In recent research on compromised and malicious PyPI packages, Imperva Threat Research has identified an ongoing malware campaign specifically targeting Roblox hackers. Over time, vast communities have assembled on various platforms such as Reddit, ...
1 month ago Imperva.com
Trouble in Da Hood: Malicious Actors Use Infected PyPI Packages to Target Roblox Cheaters | Imperva - In recent research on compromised and malicious PyPI packages, Imperva Threat Research has identified an ongoing malware campaign specifically targeting Roblox hackers. Over time, vast communities have assembled on various platforms such as Reddit, ...
1 month ago Imperva.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
1 year ago Securityaffairs.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Imperva Named an Overall Leader in the KuppingerCole Leadership Compass: API Security and Management Report - We're thrilled to share that Imperva has achieved the prestigious status of Overall Leader in the KuppingerCole Leadership Compass: API Security and Management report. A notable achievement is being recognized as one of the few non-gateway-first ...
11 months ago Imperva.com
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
11 months ago Cybersecuritynews.com
Accelerating Cloud-Native Data Security Deployments at Scale with Imperva's eDSF Kit - Elastic DSF is the vision of DSF. The first phase of this vision is creating automatic, click of a button processes to deploy and upgrade DSF with the introduction of Imperva eDSF Kit. eDSF Kit simplifies the product deployment, upgrades, and ongoing ...
11 months ago Imperva.com
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
5 months ago Securitylabs.datadoghq.com
DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
10 months ago Imperva.com
Imperva Detects Undocumented 8220 Gang Activities - Imperva Threat Research has detected previously undocumented activity from the 8220 gang, which is known for the mass deployment of malware using a variety of continuously evolving TTPs. This threat actor has been known to target both Windows and ...
11 months ago Imperva.com
New Typosquatting and Repojacking Tactics Uncovered on PyPI - Security researchers have identified a concerning uptick in malicious activities infiltrating open-source platforms and code repositories. This trend encompasses a wide array of malicious activities, including hosting command-and-control ...
9 months ago Infosecurity-magazine.com
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
10 months ago Feeds.fortinet.com
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
1 year ago Securityweek.com
Imperva & Thales: Pioneering a New Era in Cybersecurity - Imperva has been a beacon of excellence for over twenty years in the digital protection landscape, where innovation is paramount. Renowned for its groundbreaking products, Imperva has not just secured applications, APIs, and data for the world's ...
11 months ago Imperva.com
Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
9 months ago Microsoft.com
Cybercriminals pose as "helpful" Stack Overflow users to push malware - Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware-answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware. Sonatype researcher Ax Sharma discovered ...
5 months ago Bleepingcomputer.com
Imperva Uncovers New IoCs for AndroxGh0st Botnet - On January 16, a joint alert from FBI and CISA warned about a concerning development: the emergence of a botnet driven by AndroxGh0st malware targeting vulnerable applications and web servers. RoxGh0st is a Python-based malware, first seen in late ...
9 months ago Imperva.com
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
4 months ago Imperva.com
PyPI Repository Found Hosting Fake Crypto Wallet Recovery Tools That Steal User Data - A new set of malicious packages has been unearthed in the Python Package Index (PyPI) repository that masqueraded as cryptocurrency wallet recovery and management services, only to siphon sensitive data and facilitate the theft of valuable digital ...
1 month ago Thehackernews.com
New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
1 year ago Securityweek.com
Imperva Protects Customers from CVE-2023-50164 - On December 7, 2023, Apache released a security advisory regarding CVE-2023-50164, a critical vulnerability in Apache Struts with CVSS score 9.8. Versions from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0 were affected. Apache Struts is a popular, free, ...
11 months ago Imperva.com
Misconfiguration and vulnerabilities biggest risks in cloud security: Report - The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed ...
1 year ago Csoonline.com
New PyPI Malware Poses as Crypto Wallet Tools to Steal Private Keys - The cybersecurity researchers at Checkmarx uncovered a series of new supply chain attacks that exploited the Python Package Index (PyPI) in September 2024 using malicious packages to target cryptocurrency wallets. These packages identified as ...
1 month ago Hackread.com
Tipalti investigates claims of data stolen by ransomware gang - Tipalti says they are investigating claims that the ALPHV ransomware gang breached its network and stole 256 GB of data, including data for Roblox and Twitch. Tipalti offers technology solutions for accounting, payment processing, eCommerce, and ...
11 months ago Bleepingcomputer.com
Tipalti investigates claims of data stolen in ransomware attack - Tipalti says they are investigating claims that the ALPHV ransomware gang breached its network and stole 256 GB of data, including data for Roblox and Twitch. Tipalti offers technology solutions for accounting, payment processing, eCommerce, and ...
11 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)