The KEKW malware employs a malicious function known as system_information() to gather a wide range of system-related data from infected machines.
Python PYPI
The Python Package Index (PyPI) is a prominent hub for numerous software packages designed for the Python programming language. However, its popularity has made it a prime target for malicious actors seeking to exploit its widespread user base.
The malware is capable of can stealing sensitive information from compromised systems and performing clipper activities that allow it to hijack cryptocurrency transactions.
In the past, CRIL has encountered many cases where attackers used PyPI packages to distribute malware payloads, and the frequency of infostealers spreading via malicious PyPI packages has also increased.
KEKW malware
KEKW malware terminates its execution if it identifies pre-defined blacklisted hard-coded strings such as the username, computer name, system IP address, or hardware ID. It also checks for security-related processes running on the system.
The KEKW malware employs a malicious function known as system_information() to gather a wide range of system-related data from infected machines.
This function can extract the login username, computer name, Windows product key and version, RAM capacity, HWID, IP address, geographic location, Google Maps information, and other sensitive data.
As CRIL says ,the following packages were observed spreading KEKW malware:
- pythonsqlitetool-1.0.0
- pipsqlpackageV2-1.0.0
- pipfontingaddonsV2-1.0.0
- pythoncryptoaddition-1.0.0
- pipcoloringsextV1-1.0.0
- syssqlitemods-1.0.0
- syscryptographymodsV2-1.0.0
- syscoloringspkg-1.0.0
- syssqlite2toolsV2-1.0.0
- pythoncolorlibV1-1.0.0
- pythoncryptolibV2-1.0.0
- pythonsqlite2toolsV1-1.0.0
- pycolourkits-1.0.0
- pythoncolouringslibV2-3.0.0
- pythoncolouringslibV2-3.0.2
- pythoncolouringslibV2-3.0.1
- pythoncolouringslibV2-1.0.0
- pysqlite3pkgV2-1.0.0
- pyapicolorv2-0.0.1
By collecting this information, the malware can understand the infected system comprehensively, enabling it to carry out further malicious activities such as financial fraud.
Recommendation
Updating the software frequently and using reputable antivirus software to ensure maximum protection against cyber threats is essential.
IOCs
| 1cc87ac9d9066a9829e4245fd86d4cfc b449b53a50d80ccfaba259ce98424d3f8e4b2c85 7167f3c8f24eebc374ecf4d132fc5e2ff681d208a3b02ab5547f488698d2fffc | MD5 SHA1 SHA256 | pipcoloringsextV1-1.0.0-py3-none-any.whl |
| 76e08229aae953002dce4fe06454e158 ac9ac60bd7bdb43bdd8c728c3aa00434f05d52cc 7485ce031144f1800328b1d538c3eaddd589af85e0323d895e0763f88cb74652 | MD5 SHA1 SHA256 | pipcolourpackagesV2-1.0.0-py3-none-any.whl |
| d211815d0507aa070b99d5a6c9e3c300 11485ddb88da5dae6e4f9b81f51b32a56565141c 6b951cc544151c6d21ebc2b92dcbeccb03e5c130060fcc671335caead0a19a9e | MD5 SHA1 SHA256 | pipcryptaddsV2-1.0.0-py3-none-any.whl |
| 1e5a4f71632ed0eac001551c6453e2e0 4e2b1fe66e3961f1bbf9805289a9d3d2b3dc0b61 1553712ce5551698f2eeacba0aedaac9d14a6a236d5da1d17e0456a554cf457d | MD5 SHA1 SHA256 | pipfontingaddonsV2-1.0.0-py3-none-any.whl |
| 001beecd74578178013fec56d10724df 228f0d5bb26d7dab58a80bdcb07a7e686e373448 510bc06cfbecf2e1f135bb28b3361558eb529c86d7c65e614d0baea1843db997 | MD5 SHA1 SHA256 | pipsqlpackageV2-1.0.0-py3-none-any.whl |
Leave A Comment