In our recent exploration, we encountered a tweet from ESET Research that highlights the dissemination of malware which is capable of stealing passwords and cryptocurrencies via PyPI

PyPI(Python Package Index) is the official package repository for software written in Python and it serves as a central repository where developers can publish, share, and install Python packages. A significant number of users utilize this repository to effortlessly find, download, and manage dependencies for their Python projects.

The focus of this blog is about the dark side of PyPI where we delve into the discovery of a malevolent code embedded within one of the packages in PyPI that secretly collects sensitive data from Windows users. The sample being examined in this blog has been developed  using Python. We managed to obtain this malicious package from the referenced GitHub page in the mentioned tweet.

Behavioural Analysis :

Figure:1 shows the available setup files and folders in that particular package.

Figure 1: Setup Files

The python file as shown in Figure 2 gets executed while installing the package, leading us to the “pythoncryptolibrary”.

Figure 2 :

Upcoming sections of this blog will describe the execution details of the most significant portions of this stealer code

Stealing Crypto Data:

If the package is installed through pip, it first sends the computer name of the victim to the C2 server via POST request to tell them that some system is downloading the package as shown in Figure 3.

Figure 3 : Attack Initialization 

There are some hard-coded configurations in the script as shown in Figure 4 which will be used across the stealing process.

Figure 4 : Stealer configuration

This malware can be used by another threat actor as it has flexibility to replace the obtained data on the fly and send them to a configured C2 server.

In this package, threat actors have used a default domain “hxxps://  kekwltd  .ru  /relay” (taken down at the time of writing this blog) as their C2 to collect digital  wallet details of the famous wallets like exodus, steam, atomic with the help of their respective executables as shown in Figure 5 & 6.

Figure 5 : List of wallets executables
Figure 6 : Hunting down wallet particulars

To snatch crypto, they match the regex for default crypto addresses of some crypto currencies like BTC and ETH.

For example, as shown in Figure 7 if the crypto wallet address is copied in the clipboard, the attackers match them with a regex’s like “ ‘^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$’ ” to find out the addresses copied is for BTC or ETH or for other crypto’s and then they replace that value with their configured crypto address using pyperclip.

Figure 7 : Swapping victims’ crypto address to stealers’ crypto address 

The transactions of their ETH and BTC addresses are shown in Figure 8 and Figure 9  (unbelievable but transactions are still happening in this address, at the time of writing this blog).

Figure 8 : Bitcoin transaction 
Figure 9 : ETH transaction

Notable Process Shutdown :

In the code, there are some configurations to check and terminate a few processes (as listed in Figure 10) if they are  running in that target machine,  thus ensuring the attackers that they are stealing under a safer environment.

Figure 10 : Termination process Highlights

Stealthy Data Snatching :

This stealer python package file collects the basic info like storage, computer name and login information as displayed in Figure 11. 

Figure 11 : Code collects core particulars

It also forms a regex by combining the regex returned in the response of the URL (shown in Figure 11) and a regex assigned in a variable, to match tokens in the browser’s log. Those collected tokens can be used to authorize the Discord API’s of the victim from where attackers can retrieve user information. As shown in Figure 12, it collects used phone numbers, email, if any active Nitro subscription is present, its billing status from the payment sources associated with their account etc. If any executables like DiscordTokenProtector/ProtectionPayload exist it removes them and kills their processes before sending the tokens.

Figure 12 : Obtains the details using Tokens

By accessing SQLite database file ‘logindb’, they also steal the available credit card details from the cookies table. The stealing data details have been highlighted in Figure 13.

Figure 13 : Collecting Card details

It will get the IP and location details by contacting the URL “hxxps://”[Figure 14] and frames the Google map link with the help of location that it gets from the response json.

Figure 14 : Gathering IP information

There are few functions named getpassw, getcookie as displayed in Figure 15 & 16 which steals used password and cookie from the browsers for the sites for which the data is available in the local storage.

Figure 15 : Extract of getpassw
Figure 16 : Extract of getcookie

They also steal the victim’s browser history to get more details about the victim or even some sensitive data as shown in Figure 17.

Figure 17 : History stealing

For persistence, they used the startup folder to place a copy of the script which is revealed in Figure 18.

Figure 18 : Evidence of the persistence

There is a function called “grabb_GatherAll” outside of the __main__ function which contains most of these stealing functions and this helps to execute the code whenever the package/script is imported.

The code to get system software info from registry using PowerShell cmd is shown in Figure 19.

Figure 19 : Registry check using PowerShell

It also checks the Registry key value of DriverDesc and ProviderName to find out whether it is running under any VM. If it knows the file it is running under VBox or VMware , then it exits the program.

If the configured information like User name, computer name,VM IP are similar to the table below in victim machine then the program terminates without execution

User nameComputer name
BvJChRPnsxn BEE7370C-8C0C-4 
RGzcBUyrznReg B30F0242-1C6A-4 
Peter XC64ZB 
patex SERVER1 
kEecfMwgj DESKTOP-B0T93D6 
John WORK 
george 6C4E733F-C2D9-4
lmVwjj9b DESKTOP-5OV9S0O 
PqONjHVwexsS QarZhrdBpj 
3u2v9m8 ORELEEPC 

And Figure 20 lists the set of IP’s they have decided not to execute on. As you might have already guessed, most of these are located in Russia.

Figure 20 : Filtering out IP addresses

All the stolen data will be sent to the attacker as a Zip file(evidenced in Figure 21) through POSTrequest.  It creates a zip file under each path it searches and uploads it to its URL

Figure 21 : Zip file creation

If the file size is too big they use site to upload as highlighted in Figure 22 and generate a URL for that file where they can easily download that file using that URL at the attacker’s end.

Figure 22 : Snippet of

Figure 23 shows how the information is embedded and sent to C2. 

Figure 23 : Format of the embedded information

Attackers are also setting some fake information to manipulate the victim by showing some fake fatal error messages, pop-ups etc. 

We should always be cautious and double-check the packages we install, regardless of their popularity or reputation. We at K7 Labs provide detection for all the latest threats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.

Indicators of Compromise (IOCs)

      Hash  K7 Detection Name
07251364aed9cfbd4faef0a8ddce717bTrojan ( 0001140e1 )
9f03caedb7ed8fa78c8afa2bfbbf33b6Trojan ( 0001140e1 )


hxxps://  kekwltd  .ru  /relay/download

hxxps://  kekwltd  .ru

hxxps://  paste  .bingner  .com  /paste/fhvyp/raw

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “The Malicious Abuse of the Trusted PYPI”