Cybersecurity experts discovered a malicious Python package posted to the Python Package Index (PyPI) repository intended to transmit an information stealer known as Lumma (aka LummaC2).
You might be interested in: Rockwell’s Call to Disconnect ICS from Internet
The package in question is crytic-compilers, a misspelled version of a valid library called crytic-compile. The malicious package was downloaded 441 times before being removed by PyPI maintainers.
“The counterfeit library is interesting because it not only mimics the name of the legitimate Python utility, crytic-compile, but also aligns its version numbers with the genuine library,” said Ax Sharma, a security researcher at Sonatype.
“While the legitimate library’s latest version stops at 0.3.7, the counterfeit crytic-compilers version starts right there and ends at 0.3.11โgiving the impression that it is a newer version of the component.”
In an additional attempt to maintain the ruse, some versions of crytic-compilers (e.g., 0.3.9) were discovered to install the actual package via a modification to the setup.py file.
However, the most recent version abandons all pretense of being a benign library by assessing whether the operating system is Windows and, if so, launching an executable (“s.exe”), which is designed to retrieve further payloads, including the Lumma Stealer.
Lumma, an information stealer available to other criminal actors via a malware-as-a-service (MaaS) model, has been transmitted using a variety of methods, including trojanized software, malvertising, and even bogus browser upgrades.
“The finding demonstrates that seasoned threat actors are now targeting Python developers and abusing open-source registries like PyPI as a distribution channel for their potent data theft arsenal,” Sharma stated.
Fake browser update campaigns target hundreds of WordPress sites. Sucuri discovered that more than 300 WordPress sites have been infected with malicious Google Chrome update pop-ups that direct site users to fraudulent MSIX installers that install information stealers and remote access trojans.
Threat actors obtain illegal access to the WordPress admin interface before installing a legitimate WordPress plugin named Hustle – Email Marketing, Lead Generation, Optins, Popups, which uploads the code that displays the phony browser update pop-ups.
“This campaign demonstrates a growing trend among hackers to use legitimate plugins for malicious purposes,” security researcher Puja Srivastava stated. “By doing so, they can evade detection by file scanners, as most plugins store their data within the WordPress database.”
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.