Stealer with Clipper Making Rounds in a Mass Campaign
PyPI (Python Package Index) is a widely used repository for software packages for the Python programming language, utilized by developers worldwide for sharing and downloading Python code. Due to the widespread usage of PyPI, it has become a desirable target for Threat Actors (TAs) who aim to attack developers or their projects.
Malicious packages are usually uploaded by disguising them as useful software or by imitating well-known projects by altering their names. In the past, we have encountered multiple instances where attackers have utilized PyPI packages to distribute malware payloads. It has been noted that the frequency of InfoStealers being disseminated through malicious PyPI packages is increasing.
Recently, Cyble Research and Intelligence Labs (CRIL) uncovered multiple malicious Python .whl (Wheel) files that were found to be distributing a new malware named ‘KEKW’. KEKW malware can steal sensitive information from infected systems, as well as perform clipper activities which can lead to the hijacking of cryptocurrency transactions.
Following our investigation, we found that the Python packages under scrutiny were not present in the PyPI repository, indicating that the Python security team had removed the malicious packages. Additionally, CRIL verified with the Python security team on 02-05-2023 and confirmed that they took down the malicious packages within 48 hours of them being uploaded.
Since the malicious packages were taken down quickly, it is impossible to determine the number of people who downloaded them. Nevertheless, we believe that the impact of the incident may have been minimal.
The following packages were observed spreading KEKW malware:
In this campaign, we have identified TAs engaging in financial theft by incorporating clipper functionality and stealer. We have also observed several stealer payloads containing different crypto addresses associated with the TA’s clipper activities. We selected one of the Bitcoin addresses that appeared in over 20 packages and found that there had been a significant increase in transactions for that specific crypto address in the past month.
The figure below provides details of the TAs’ Bitcoin wallet transactions.
Additionally, we discovered that the majority of Python files within the packages contained the domain name “kekwltd[.]ru”. In contrast, only a few contained “blackcap[.]ru”, suggesting that these domains may be linked to the TA.
The figure below shows the TA’s active domain.
For our analysis, we have taken the Python package “pythonsqlitetool-1.0.0”, which is a .whl file. The .whl file in Python is a wheel distribution format used for packaging and distributing Python software. The .whl file is essentially a ZIP archive containing all the necessary files to install a Python package, including the code, data files, and metadata.
The .whl file includes an ‘__init__.py’ Python file capable of carrying out malicious actions within the user’s system.
At the beginning of the ‘__init__.py’ Python file, the necessary packages are installed on the victim’s system using the ‘pip install’ command, as shown below.
The primary function of the Python package file includes various capabilities such as anti-debugging, persistence, collecting system information, stealing and grabbing sensitive data from various applications, carrying out clipper activities, and more.
The Python malware file verifies whether it is running within a controlled environment by examining pre-defined blacklisted hard-coded strings such as username, computer name, system IP address, or hardware ID.
The malware terminates its execution if it identifies a match with any of the strings mentioned below.
The malware checks to determine if any security-related processes are running on the target’s system. If it identifies such processes, it terminates them. The list of security-related process names hardcoded into the script can be seen in the figure below.
The KEKW malware sets up a startup entry to achieve persistence, allowing it to execute automatically whenever the victim logs in to their computer using the function startupkekw().
The code snippet below depicts how the malware achieves persistence on the victim’s system.
Collecting System information
The KEKW malware uses the system_information() function to acquire system-related data such as login username, computer name, Windows product key and version, RAM capacity, HWID, IP address, geographic location, Google Maps information, and more.
This is illustrated in the figure below.
The primary objective of the malicious Python script is to retrieve sensitive information from the target’s web browser, which includes:
- Credit card details
The Python script utilizes multiple separate functions to extract browser data, including files from a range of web browsers such as Google Chrome, Microsoft Edge, Yandex, Brave, Amigo, and others, as shown in the figure below.
The figure below displays the code snippet of the Python function responsible for stealing passwords from the targeted browsers.
The figure below shows the code snippet of the function used to steal the cookies from the browsers.
The code snippet function was used to steal the history from the browsers files in the image below.
The Python function that steals the credit card details from the browsers is illustrated in the figure below.
The image below shows the various browsers targeted by this malware to steal tokens.
Additionally, the Python script has functions grabb_mc() and grabb_roblox() to retrieve crucial data, including profiles, account credentials, cookies, cache, and more, from well-known video game platforms like Minecraft and Roblox as shown in the below code snippet.
The malware uses the address_swap() function to carry out the clipper activity by replacing the intended cryptocurrency wallet address (as specified in the ‘__config__’ section of the Python file) with the attacker’s cryptocurrency address. This action redirects the victim’s cryptocurrency funds to the attacker’s account.
The below figure shows the code snippet of the clipper function used in the malware Python file.
Moreover, the malware can capture screenshots of the target system by utilizing the steal_screen() function. This action allows the attacker to gain access to sensitive information on the victim’s device, which can be used for malicious purposes by the threat actor.
The malware has a function called grabb_GatherAll() that steals passwords and cookies from various popular applications, including Gmail, YouTube, eBay, Netflix, Uber, Outlook, Hotmail, PayPal, TikTok, and others.
The figure below shows the code snippet that steals sensitive information from various popular applications.
Moreover, the malware scans the “Desktop”, “Downloads”, and “Documents” directories for text files with specific names related to sensitive information, such as passwords, login credentials, online transactions, online accounts, wallets, and others. Upon locating these files, it extracts the pertinent data.
The malware is also designed to collect sensitive information from specific applications such as Atomic Wallet, Exodus Wallet, Steam, and NationsGlory.
After obtaining the stolen data, the malware formats it into JSON, compresses it into a ZIP file, and then proceeds to upload the compressed archive to the command and control (C&C) server, as shown below.
The group responsible for the KEKW stealer malware has launched a widespread campaign to distribute it. The group targets developers using malicious Python packages, which may also put corporate networks at risk.
The timely action of the Python security team in removing the malicious packages has helped to mitigate the severity of this incident. However, this incident highlights the ongoing threat of supply chain attacks and the importance of remaining vigilant and practicing good cybersecurity hygiene.
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” on sites such as YouTube, Torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and Email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
Windows Management Instrumentation
|Persistence||T1547||Registry Run Keys / Startup Folder|
Disable or Modify Tools
|Credential Access||T1056||Credential API Hooking|
System Information Discovery
File and Directory Discovery
|Collection||T1005||Data from Local System|
|T1071||Application Layer Protocol|
Indicators of Compromise (IOCs)
|MD5 SHA1 SHA256||pythoncolouringslibV2-1.0.0-py3-none-any.whl|