Malicious Python packages uploaded by “dsfsdfds” to PyPI stole sensitive data from user systems and sent it to a Telegram bot likely associated with Iraqi cybercriminals. Active since 2022, the bot has over 90,000 Arabic messages and serves as both a command-and-control center and an underground marketplace for social media manipulation tools.
This highlights a larger cybercriminal network and underscores the need for thorough investigation and collaboration within cybersecurity communities.
A malicious script scans the victim’s file system, especially the root directory and DCIM folder, for files with extensions like .py, .php, .zip, .png, .jpg, and .jpeg. It then sends both file paths and actual data (files and photos) to the attacker’s Telegram bot without the user’s knowledge. This is done using a hardcoded Telegram bot token and chat ID, exposing the attacker’s infrastructure.
Python Packages Data Exfiltration
The analysis of the exfiltrated data uncovered hardcoded credentials for a Telegram bot used by the attackers.
Using these credentials, researchers accessed the bot and discovered an extensive activity history dating back to at least 2022.
The messages, mostly in Arabic, provided insights into the bot operator’s location and activities. Tools like GitHub’s TeleTracker helped researchers identify the operator as likely being based in Iraq.
The bot’s activity indicated it was part of a larger network of bots managed by the same individual. Initially, the bot served as an underground marketplace, offering illegal services such as buying social media engagement metrics, spam services, and discounted subscriptions to streaming platforms like Netflix.
An investigation into a malicious Python package revealed a hidden Telegram bot, which further analysis exposed as part of a broader cybercriminal operation. The bot’s message history suggested financial theft from compromised systems, indicating the packages were an effective initial attack vector. This discovery highlighted the need for in-depth cybersecurity investigations.
The seemingly isolated malicious packages were actually entry points to a complex criminal network based on Telegram. Researchers at Checkmarx found these packages on PyPI, which exfiltrated user data to a Telegram bot, revealing a larger Iraqi cybercriminal network and the dangers of compromised developer machines.
In an enterprise setting, such a breach could allow attackers to gain an initial foothold and launch further attacks within the organization’s network. Avoid these four identified malicious Python packages: testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers. These packages exploit the PyPI repository to install on unsuspecting systems, then scrape files, including sensitive ones, and send the data to a Telegram bot controlled by cybercriminals. This exposes the system to various threats, such as financial fraud or further system compromise.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment