Invasive Malware Campaign on Python Repository Targets Crypto Wallet Data: Research

The Checkmarx threat research team uncovered a new invasive crypto malware campaign on the Python Package Index (PyPI) repository. Threat actors masquerade as cryptocurrency trading tools to steal sensitive data and drain victims’ crypto wallets.

The malicious package named “CryptoAITools,” was uploaded to PyPI and GitHub repositories, impersonating legitimate cryptocurrency trading tools, the findings revealed.

The attacker used a deceptive graphical user interface (GUI) to distract victims while the malware performed malicious activities. Further, the malware activates automatically upon installation, targeting both Windows and macOS operating systems.

“The CryptoAITools malware employs a sophisticated multi-stage infection process, leveraging a fake website to deliver its secondary payloads.”

Following the initial infection through the PyPI package, the malware begins executing scripts for macOS and Windows separately.

“These scripts are responsible for downloading additional malicious components from a deceptive website,” the research team wrote in a press release sent to Cryptonews.

Checkmarx researcher Yehuda Gelb said in an analysis published early this month that the attacker targeted users of Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, and other prominent crypto wallets.

“Presenting themselves as utilities for extracting mnemonic phrases and decrypting wallet data, these packages appeared to offer valuable functionality for cryptocurrency users engaged in wallet recovery or management.”

Additionally, the CryptoAITools malware conducted an extensive data theft operation, targeting browser data such as saved passwords and browsing history.

On MacOS systems, the malware also targeted data from Apple Notes and Stickies applications.

The CryptoAITools Malware’s Exfiltration Process

Attackers first began with collecting data stored in users’ home folders. The exfiltration script for each file changes, and the malware uploads the file to gofile.io using their API.

The attacker then sends the affected link to download via a Telegram bot, employing various tactics to lure potential victims.

“Our continued investigation into this campaign revealed the attacker employing multiple infection vectors and social engineering tactics,” the team noted. “The attack is not limited to the malicious Python package on PyPI, but extends to other platforms and methods.”

The CryptoAITools malware campaign has severe consequences for victims and the broader cryptocurrency community, including immediate financial losses. The impact also includes long-term risks of identity theft and privacy breaches.