Malicious Python packages uploaded by “dsfsdfds” to PyPI deploy a script hidden within the __init__.py file, which scans the victim’s system, targeting the root and DCIM folders for files with extensions like.py,.php,.zip,.png,.jpg, and.jpeg.
The script then transmits both the file paths and the contents to a Telegram bot under the control of the attackers, effectively exfiltrating sensitive data without the user’s knowledge.
Researchers identified a malicious script containing a hardcoded bot token and chat ID, which exposed the attacker’s Telegram bot infrastructure, allowing researchers to directly access and monitor the bot’s activity.
The researchers were able to gain valuable insights into the operations of the attacker as well as the scope of the attack by thoroughly analyzing the data that the bot received.
The utilization of hardcoded credentials as a means of gaining access to the infrastructure of the attacker proved to be an effective instrument for the purpose of conducting security investigations.
Analysis of a Telegram bot revealed a high volume of activity (over 90,000 messages) dating back to 2022, predating its involvement in distributing malicious packages.
The messages, primarily in Arabic, indicated the operator’s likely location in Iraq and their control of multiple bots. Initially, the bot functioned as a typical underground marketplace, offering illicit services like buying social media engagement and discounted streaming subscriptions.
An investigation into a seemingly isolated incident of malicious Python packages uncovered a far-reaching underground market operation on Telegram, where the compromised systems, infected through the packages, actively communicated within the platform.
Messages exchanged indicated not only financial theft but also potential coordination with other criminal activities, highlighting the critical need for thorough and persistent investigation during cybercrime examinations.
It is possible for what at first glance appears to be isolated incidents to actually serve as gateways to more complex criminal networks.
By following the digital trail and analyzing all available evidence, security researchers can expose the true extent of these cyberattacks and disrupt the operations of the criminals behind them.
Researchers at Checkmarx uncovered malicious Python packages (testbrojct2, proxyfullscraper, proxyalhttp, proxyfullscrapers) on PyPI that exfiltrated user data to a Telegram bot, which exposed a larger Iraqi cybercriminal operation targeting developers.
While the packages stole data from individual machines, an enterprise compromise could be catastrophic, highlighting the need for stricter security measures in package repositories and developer awareness of potential supply chain attacks.
