An unknown adversary orchestrated a sophisticated attack campaign that affected multiple developers and GitHub organization accounts associated with Top.gg, the Discord bot discovery site.
“The threat actor used multiple TTPs in this attack, including taking over accounts via stolen browser cookies, contributing malicious code via authenticated submissions, setting Customizing Python images and publishing malicious packages to the PyPI registry.” with The Hacker News.
Software supply chain attacks allegedly resulted in the theft of sensitive information, including passwords, credentials and other valuable data. Egyptian developer Mohammed Dief previously disclosed aspects of the campaign earlier this month.
It basically requires setting up a clever misplacement of the official PyPI domain (called “files.txt”).Pythonhost[.]org,” name it “files.org”.Pippihost[.]org” and used it to host Trojanized versions of well-known packages such as colorama. Cloudflare has since taken over the domain.
“The threat actors took Colorama, a very popular tool with over 150 million downloads per month, copied it and inserted malicious code,” Checkmarx researchers said. “They then used space padding to hide the Colorama’s harmful payload and hosted this modified version on their fake mirror with the wrong domain name.”
These rogue packages are then spread via GitHub repositories e.g. github[.]com/maleduque/Valorant-Checker and github[.]com/Fronse/League-of-Legends-Checker contains a requirements.txt file that serves as a manifest for Python packages to be installed by the pip package manager.
As of this writing, github is a repository that continues to be active[.]com/whiteblackgang12/Discord-Token-Generator, which contains a reference to a malicious version of colorama hosted on “files.pypihosted”[.]organize. “
As part of the campaign, the requirements.txt file related to Top.gg’s python-sdk was also changed on February 20, 2024, by an account named editor-syntax. The issue has been resolved by the repository maintainer.
Notably, the “editor-syntax” account is a legitimate maintainer of the Top.gg GitHub organization and has write access to the Top.gg repository, indicating that threat actors managed to hijack verified accounts to make malicious commits.
“The GitHub account of ‘Editor Grammar’ was likely hijacked via stolen cookies,” Checkmarx noted.
“The attacker gained access to the account’s session cookie, allowing them to bypass authentication and use the GitHub UI to perform malicious activity. This method of account takeover is particularly concerning because it does not require the attacker to know the account’s password.”
Additionally, the threat actor behind the campaign is said to have pushed multiple changes to the malicious repository in a single commit, changing up to 52 files in one instance to hide changes to the requests.txt file.
The malware embedded in the fake colorama package initiates a multi-stage infection sequence, leading to the execution of Python code from a remote server, which in turn is able to establish persistence on the host through Windows registry changes and download it from the web Stealing profile browsers, crypto wallets, Discord tokens, and session tokens related to Instagram and Telegram.
“The malware contains a file stealer component that searches for files containing specific keywords in their names or extensions,” the researchers said. “Its target directories include Desktop, Downloads, Documents, and Recent Files.”
The captured data is ultimately transmitted to the attacker through anonymous file sharing services such as GoFile and Anonfiles. Alternatively, the data is sent to the threat actor’s infrastructure using HTTP requests along with hardware identifiers or IP addresses to track the victim’s computer.
“This campaign is a prime example of the sophisticated tactics used by malicious actors to spread malware through trusted platforms such as PyPI and GitHub,” the researchers concluded.
“This incident highlights the importance of remaining vigilant when installing packages and repositories, even those from trusted sources. Thoroughly review dependencies, monitor for suspicious network activity and maintain strong security practices to Reducing the risk of falling victim to this type of attack is critical.”
