Researchers have discovered a new clipper malware, named KEKW, that disguises itself as PyPI packages to infect users. This malware is also equipped with information-stealing abilities that allow it to hijack cryptocurrency transactions.
About the campaign
In this campaign, threat actors were found disseminating the KEKW malware by spreading malicious Python .whl files.
- These files are similar to ZIP archives as they contain all the necessary files to install a Python package, including the code, data files, and metadata.
- Over 20 of these malicious packages were found to contain a Bitcoin address associated with the threat actors’ clipper activities.
- A majority of these malicious packages contained the domain name kekwltd[.]ru, followed by a few ending with blackcap[.]ru.
Capabilities of KEKW malware
Written in Python language, the KEKW malware uses the system_information() function to acquire system-related data such as login details, computer names, Windows product key and version, RAM capacity, HWID, IP address, geographical location, and Google Maps information.
- It steals cookies, passwords, histories, profiles, credit card details, and tokens from web browsers such as Google Chrome, Microsoft Edge, Yandex, Brave, and Amigo.
- The malware’s clipper ability enables attackers to replace the intended cryptocurrency wallet address with their cryptocurrency address to pilfer victims’ funds.
- After obtaining the stolen data, the malware formats it into JSON, compresses it into a ZIP file, and uploads it to the C2 server controlled by attackers.
Conclusion
The group responsible for the KEKW stealer malware has launched a large-scale campaign to distribute it. For example, by using malicious Python packages, they can put organizations at risk of supply chain attacks. As a result, security teams must remain vigilant and take prompt action to remove these packages from the repository. This will help to mitigate the severity of the attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_80972547_SMALL.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/dd53_shutterstock_2271822187.jpg)
