As a writer at Sonatype, I don’t have to wait too long to get a scoop. Our security researchers are always bringing to our attention the latest malware uploaded to open-source registries so I have more than enough material to work from. The challenge comes when trying to uncover the story that’s hidden inside the vast number of packages our AI system flags and our security researchers confirm as malicious.
Lately, our AI has been detecting a series of information stealers being uploaded to the PyPI registry. An information stealer is a type of malware designed to steal private information through snippets of code that can capture sensitive data such as passwords, credit cards, cryptocurrency wallets, and other files of interest.
I already covered how these stealers have evolved from the popular W4SP stealer to RAT (remote access trojan) mutants capable of polymorphic payloads and clipboard hijacking. Nevertheless, more info-stealers are coming in, and we’re keeping track of them and investigating the tactics, techniques, and procedures (TTPs) bad actors use to deploy them.
Recently, our security researcher Carlos Fernandez pointed me to a Python package called ratebypass. Since static analysis showed the name “Creal Stealer” as a username within the second-stage payload of setup.py, we initially suspected it might be a new type of info-stealer. The webhook URL also suggested a Discord-as-C2 approach, using Discord infrastructure to handle encrypted communication between the victim’s machine and the attacker. Skimming over the technical details, the Discord webhook URL is an HTTP endpoint that can receive payloads via an HTTP POST request; any application capable of sending HTTP POST messages can send data —including stolen data— to that URL.
But as we looked at the lines of code, we noticed an eerie resemblance with W4SP stealer, a dangerous information stealer that bad actors have been using in software supply chain attacks since July 2022. The malware has inspired copycats under different names such as “Satan Stealer,” “ANGEL Stealer,” “Leaf $tealer,” “@skid STEALER,” “Fade Stealer,” and “Celestial Stealer.” Should “Creal Stealer” be added to that list?
A tale of three stealers
Before diving deeper into ratebypass, let’s introduce two packages we recently found and identified as malicious in the PyPI registry: imagesolverpy and 3m-promo-gen-api.
imagesolverpy doesn’t hide the fact that it is a W4SP stealer, as you can see in the commented-out code.
Inspecting the webhook URL, we found the following data:
Bad actors are going by “Spidey Bot”, the name of a Discord stealer in JavaScript that was found in 2019, possibly to deceive security researchers (or maybe just a tribute to its predecessor?) Through the guild_id we also found that the channel where the attackers are exfiltrating the stolen data was created on February 10, 2023.
Going back to the second-stage payload, we noticed more references to W4SP Stealer:
Around line 820, there are functions that scan files for particular keywords related to sensitive data including crypto wallets, passwords, account numbers, PayPal, and 2FA. If the keywords are found, these functions attempt to extract the files from the victim’s computer using the gofile.io service.
Notice that as part of the complete list of keywords there are words in French: “compte” (account), “mot de passe” (password), and “banque” (bank), indicating that either the attacker is from France or targeting victims in French-speaking countries. As we said in a previous report, the author of W4SP Stealer might be from France. Here’s the complete list of keywords for reference:
Now, let’s
