Mar 12, 2024The Hacker NewsCryptocurrency / Cybercrime

Threat hunters have discovered a set of seven packages on the Python Package Index (PyPI) repository that are designed to steal BIP39 mnemonic phrases used for recovering private keys of a cryptocurrency wallet.

The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs. The packages were collectively downloaded 7,451 times prior to them being removed from PyPI. The list of packages is as follows –

BIPClip, which is aimed at developers working on projects related to generating and securing cryptocurrency wallets, is said to be active since at least December 4, 2022, when hashdecrypt was first published to the registry.

“This is just the latest software supply chain campaign to target crypto assets,” security researcher Karlo Zanki said in a report shared with The Hacker News. “It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors.”

In a sign that the threat actors behind the campaign were careful to avoid detection, one of the packages in question — mnemonic_to_address — was devoid of any malicious functionality, barring listing bip39-mnemonic-decrypt as its dependency, which contained the malicious component.

“Even if they did opt to look at the package’s dependencies, the name of the imported module and invoked function are carefully chosen to mimic legitimate functions and not raise suspicion, since implementations of the BIP39 standard include many cryptographic operations,” Zanki explained.

The package, for its part, is designed to steal mnemonic phrases and exfiltrate the information to an actor-controlled server.

Two other packages identified by ReversingLabs – public-address-generator and erc20-scanner – operate in an analogous fashion, with the former acting as a lure to transmit the mnemonic phrases to the same command-and-control (C2) server.

On the other hand, hashdecrypts functions a little differently in that it’s not conceived to work as a pair and contains within itself near-identical code to harvest the data.

The package, per the software supply chain security firm, includes references to a GitHub profile named “HashSnake,” which features a repository called hCrypto that’s advertised as a way to extract mnemonic phrases from crypto wallets using the package hashdecrypts.

A closer examination of the repository’s commit history reveals that the campaign has been underway for over a year based on the fact that one of the Python scripts previously imported the hashdecrypt (without the “s”) package instead of hashdecrypts until March 1, 2024, the same date hashdecrypts was uploaded to PyPI.

It’s worth pointing out that the threat actors behind the HashSnake account also have a presence on Telegram and YouTube to advertise their warez. This includes releasing a video on September 7, 2022, showcasing a crypto logs checker tool dubbed xMultiChecker 2.0.

“The content of each of the discovered packages was carefully crafted to make them look less suspicious,” Zanki said.

“They were laser focused on compromising crypto wallets and stealing the crypto currencies they contained. That absence of a broader agenda and ambitions made it less likely this campaign would trip up security and monitoring tools deployed within compromised organizations.”

The findings once again underscore the security threats that lurk within open-source package repositories, which is exacerbated by the fact that legitimate services like GitHub are used as a conduit to distribute malware.

Furthermore, abandoned projects are becoming an attractive vector for threat actors to seize control of the developer accounts and publish trojanized versions that could then pave the way for large-scale supply chain attacks.

“Abandoned digital assets are not relics of the past; they are ticking time bombs and attackers have been increasingly taking advantage of them, transforming them into trojan horses within the open-source ecosystems,” Checkmarx noted last month.

“MavenGate and CocoaPods case studies highlight how abandoned domains and subdomains could be hijacked to mislead users and spread malicious intent.”

Jan 23, 2024NewsroomMalware / Cryptocurrency

Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data.

Kaspersky, which identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware’s ability to infect Macs on both Intel and Apple silicon processor architectures.

The attack chains leverage booby-trapped disk image (DMG) files that include a program named “Activator” and a pirated version of legitimate software such as xScope.

Users who end up opening the DMG files are urged to move both files to the Applications folder and run the Activator component to apply a supposed patch and run the xScope app.

Launching Activator, however, displays a prompt asking the victim to enter the system administrator password, thereby allowing it to execute a Mach-O binary with elevated permissions in order to launch the modified xScope executable.

“The trick was that the malicious actors had taken pre-cracked application versions and added a few bytes to the beginning of the executable, thus disabling it to make the user launch Activator,” security researcher Sergey Puzan said.

The next stage entails establishing contact with a command-and-control (C2) server to fetch an encrypted script. The C2 URL, for its part, is constructed by combining words from two hard-coded lists and adding a random sequence of five letters as a third-level domain name.

A DNS request for this domain is then sent to retrieve three DNS TXT records, each containing a Base64-encoded ciphertext fragment that is decrypted and assembled to construct a Python script, which, in turn, establishes persistence and functions as a downloader by reaching out to “apple-health[.]org” every 30 seconds to download and execute the main payload.

“This was a fairly interesting and unusual way of contacting a command-and-control server and hiding activity inside traffic, and it guaranteed downloading the payload, as the response message came from the DNS server,” Puzan explained, describing it as “seriously ingenious.”

The backdoor, actively maintained and updated by the threat actor, is designed to run received commands, gather system metadata, and check for the presence of Exodus and Bitcoin Core wallets on the infected host.

If found, the applications are replaced by trojanized versions downloaded from the domain “apple-analyser[.]com” that are equipped to exfiltrate the seed phrase, wallet unlock password, name, and balance to an actor-controlled server.

“The final payload was a backdoor that could run any scripts with administrator privileges, and replace Bitcoin Core and Exodus crypto wallet applications installed on the machine with infected versions that stole secret recovery phrases the moment the wallet was unlocked,” Puzan said.

The development comes as cracked software is increasingly becoming a conduit to compromise macOS users with a variety of malware, including Trojan-Proxy and ZuRu.