Threat hunters have discovered a set of seven packages on the Python Package Index (PyPI) repository that are designed to steal BIP39 mnemonic phrases used for recovering private keys of a cryptocurrency wallet.
威胁猎人在Python包索引(PyPI)仓库发现了一组旨在窃取用于恢复加密货币钱包私钥的BIP39助记词短语的七个包。
The software supply chain attack campaign has been codenamed BIPClip by ReversingLabs. The packages were collectively downloaded 7,451 times prior to them being removed from PyPI. The list of packages is as follows -
这次软件供应链攻击行动被命名为BIPClip,这些包在被PyPI移除之前共被下载了7,451次。包列表如下 -
-
jsBIP39-decrypt (126 downloads)
jsBIP39-decrypt (下载 126 次)
-
bip39-mnemonic-decrypt (689 downloads)
bip39-mnemonic-decrypt (下载 689 次)
-
mnemonic_to_address (771 downloads)
mnemonic_to_address (下载 771 次)
-
erc20-scanner (343 downloads)
erc20-scanner (下载 343 次)
-
public-address-generator (1,005 downloads)
public-address-generator (下载 1,005 次)
-
hashdecrypt (4,292 downloads)
hashdecrypt (下载 4,292 次)
-
hashdecrypts (225 downloads)
hashdecrypts (下载 225 次)
BIPClip, which is aimed at developers working on projects related to generating and securing cryptocurrency wallets, is said to be active since at least December 4, 2022, when hashdecrypt was first published to the registry.
BIPClip主要针对从事生成和保护加密货币钱包相关项目的开发人员,据称自2022年12月4日hashdecrypt首次发布到注册表以来一直活跃。
"This is just the latest software supply chain campaign to target crypto assets," security researcher Karlo Zanki said in a report shared with The Hacker News. "It confirms that cryptocurrency continues to be one of the most popular targets for supply chain threat actors."
“这只是针对加密资产的最新软件供应链活动,”安全研究员Karlo Zanki在与黑客新闻分享的报告中说。“这证实了加密货币继续是供应链威胁行为者最受欢迎的目标之一。”
In a sign that the threat actors behind the campaign were careful to avoid detection, one of the packages in question -- mnemonic_to_address -- was devoid of any malicious functionality, barring listing bip39-mnemonic-decrypt as its dependency, which contained the malicious component.
有迹象表明,这次活动背后的威胁行为者非常小心地避免被侦测,其中一个包 —— mnemonic_to_address —— 除了包含恶意组件的bip39-mnemonic-decrypt作为其依赖之外,并没有任何恶意功能。
"Even if they did opt to look at the package's dependencies, the name of the imported module and invoked function are carefully chosen to mimic legitimate functions and not raise suspicion, since implementations of the BIP39 standard include many cryptographic operations," Zanki explained.
即使他们选择查看包的依赖项,导入模块的名称和调用的函数也被仔细挑选,以模仿合法功能,不引起疑问,因为BIP39标准的实现包含了许多加密操作,”Zanki解释说。
The package, for its part, is designed to steal mnemonic phrases and exfiltrate the information to an actor-controlled server.
该包在其部分设计上是为了窃取助记符短语,并将信息传输给受控于行动者的服务器。
Two other packages identified by ReversingLabs – public-address-generator and erc20-scanner – operate in an analogous fashion, with the former acting as a lure to transmit the mnemonic phrases to the same command-and-control (C2) server.
ReversingLabs识别的另外两个包 – public-address-generator和erc20-scanner – 以类似的方式运作,前者充当诱饵将助记短语传输到相同的命令和控制(C2)服务器。
On the other hand, hashdecrypts functions a little differently in that it's not conceived to work as a pair and contains within itself near-identical code to harvest the data.
另一方面,hashdecrypts的功能略有不同,它不是设计为成对工作的,而是包含几乎相同的代码来收集数据。
The package, per the software supply chain security firm, includes references to a GitHub profile named "HashSnake," which features a repository called hCrypto that's advertised as a way to extract mnemonic phrases from crypto wallets using the package hashdecrypts.
该包根据软件供应链安全公司的说法,包含对一个名为“HashSnake”的GitHub个人资料的引用,该资料有一个名为hCrypto的存储库,声称可以使用hashdecrypts包从加密钱包中提取助记词短语。
A closer examination of the repository's commit history reveals that the campaign has been underway for over a year based on the fact that one of the Python scripts previously imported the hashdecrypt (without the "s") package instead of hashdecrypts until March 1, 2024, the same date hashdecrypts was uploaded to PyPI.
通过仔细检查存储库的提交历史,可以发现这次活动已经进行了一年多,因为其中一个Python脚本之前曾导入过hashdecrypt(没有“s”)包,而不是hashdecrypts,直到2024年3月1日,也就是hashdecrypts被上传到PyPI的日期。
It's worth pointing out that the threat actors behind the HashSnake account also have a presence on Telegram and YouTube to advertise their warez. This includes releasing a video on September 7, 2022, showcasing a crypto logs checker tool dubbed xMultiChecker 2.0.
值得注意的是,HashSnake账户背后的威胁行为者在Telegram和YouTube上也有存在,以宣传他们的产品。这包括在2022年9月7日发布了一段视频,展示了一个名为xMultiChecker 2.0的加密日志检查器工具。
"The content of each of the discovered packages was carefully crafted to make them look less suspicious," Zanki said.
“发现的每个包的内容都被精心制作,使它们看起来不那么可疑,”Zanki说。
"They were laser focused on compromising crypto wallets and stealing the crypto currencies they contained. That absence of a broader agenda and ambitions made it less likely this campaign would trip up security and monitoring tools deployed within compromised organizations."
“他们专注于破坏加密钱包并窃取其中包含的加密货币。缺乏更广泛的议程和野心使这场运动不太可能触发部署在受损组织内的安全和监控工具。”
The findings once again underscore the security threats that lurk within open-source package repositories, which is exacerbated by the fact that legitimate services like GitHub are used as a conduit to distribute malware.
这些发现再次凸显了开源包仓库内潜伏的安全威胁,这一点由于合法的服务如GitHub被用作传播恶意软件的途径而加剧。
Furthermore, abandoned projects are becoming an attractive vector for threat actors to seize control of the developer accounts and publish trojanized versions that could then pave the way for large-scale supply chain attacks.
此外,被遗弃的项目正成为威胁行为者掌握开发者账户和发布木马化版本的吸引人向量,这可能为大规模供应链攻击铺平道路。
"Abandoned digital assets are not relics of the past; they are ticking time bombs and attackers have been increasingly taking advantage of them, transforming them into trojan horses within the open-source ecosystems," Checkmarx noted last month.
“被遗弃的数字资产不是过去的遗物;它们是定时炸弹,攻击者越来越多地利用它们,将它们转变为开源生态系统内的特洛伊木马,”Checkmarx上个月指出。
"MavenGate and CocoaPods case studies highlight how abandoned domains and subdomains could be hijacked to mislead users and spread malicious intent."
“MavenGate和CocoaPods案例研究突出显示了被遗弃的域名和子域名如何被劫持,以误导用户并传播恶意意图。”
参考资料
[1]https://thehackernews.com/2024/03/watch-out-these-pypi-python-packages.html
原文始发于微信公众号(知机安全):PyPI Python软件包警报:小心您的加密钱包
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论