Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

October 30, 2024 at 07:54AM

Researchers identified a malicious Python package, “CryptoAITools,” disguised as a cryptocurrency trading tool. It steals sensitive data and drains crypto wallets. Distributed via PyPI and fake GitHub repos, it infected over 1,300 systems, exploiting both Windows and macOS while using a deceptive GUI to distract victims during data theft.

### Meeting Takeaways: Cybersecurity Threat – CryptoAITools Malware

**Date**: October 30, 2024
**Topic**: Cybercrime / Cryptocurrency

1. **Discovery of Malware**:
– A malicious Python package called “CryptoAITools” was found masquerading as a cryptocurrency trading tool.
– It has been distributed through the Python Package Index (PyPI) and fake GitHub repositories, amassing over 1,300 downloads before its removal.

2. **Functionality**:
– The malware activates immediately upon installation, targeting both Windows and macOS systems.
– It includes a deceptive graphical user interface (GUI) to distract users while it operates maliciously in the background.

3. **Infection Process**:
– The malware’s code is embedded in the “__init__.py” file, which detects the operating system and executes corresponding malware functions.
– Additional malicious payloads are downloaded from a counterfeit domain (coinsw[.]app), which impersonates a legitimate cryptocurrency trading service.

4. **Data Theft**:
– The malware aims to steal a variety of sensitive information, including:
– Cryptocurrency wallet data (Bitcoin, Ethereum, etc.)
– Saved passwords, cookies, and browsing history.
– Files referencing cryptocurrencies in specified directories.
– Specific data from macOS applications like Apple Notes and Stickies.
– Collected data is uploaded to a file transfer service (gofile[.]io) before deletion from the infected system.

5. **Distribution Channels**:
– The same malware is also being disseminated via a GitHub repository titled “Meme Token Hunter Bot,” marketed as an AI-powered trading tool.
– A Telegram channel supports this GitHub repository and offers subscriptions and technical support.

6. **Implications**:
– The malware threatens both individual users and the cryptocurrency community at large.
– Users who interacted with the malicious repository (e.g., starring or forking) are at risk, increasing the malware’s reach.

7. **Conclusion**:
– The multi-platform distribution strategy allows attackers to target crypto users across different platforms, potentially increasing the victim pool.
– Vigilance is required from cryptocurrency users regarding software sources to safeguard against such threats.

**Action Items**:
– Raise awareness about downloading software from reputable sources within the organization.
– Consider implementing cybersecurity training focused on identifying and avoiding malware risks.

Full Article