Tag :
Cyber Security

What is the W4SP Stealer?

W4SP is an information stealer, commonly known as infostealers or stealers. It is a type of malware that secretly collects sensitive data from a compromised system and transmits it back to the attackers. The W4SP Stealer is written in Python and was first detected in August 2022. It spreads through malicious Python packages uploaded to the Python Package Index (PyPI), the official third-party software repository for Python. This tactic is known as a software supply chain attack. The W4SP Stealer targets users of Discord, a popular communication platform widely used by gamers and other communities. The malware is designed to steal a variety of data, including account credentials, Discord tokens, crypto wallets, credit card information, and other sensitive data stored on the victim's system.

A Review of W4SP Stealer Attacks

Initial Discovery

On July 30, 2022, a threat actor uploaded malicious Python packages named "pyquest" and "ultrarequests" to PyPI. Users were deceived into installing these packages due to the similarity of their names and descriptions to a legitimate Python package called "requests." The attacker further manipulated the "Starts" and "Forks" metrics, which measure a project's popularity and community involvement, to make the packages appear more reputable and reliable.

The "exceptions.py" file within the malicious packages contained a segment of malicious Python code designed to download additional Python code from a remote server.

What is the W4SP Stealer? – A Review of W4SP Attacks 1

The downloaded code was disguised using the open-source Python obfuscation tool "Hyperion." After de-obfuscation, the sample added itself to the registry startup directory, enabling persistence, and downloaded the W4SP Stealer from the server.

The stealer harvested passwords, browsing history, and specific files from the Download, Desktop, and Document directories. This data was then sent to a designated command & control (C2) server. Additionally, the stealer checked for the presence of Discord on the host. If found, the "index.js" file was downloaded from the C2 server and injected into Discord to monitor host behavior. This included collecting email addresses, passwords, and billing information, which were then sent to a Discord channel.

Later, the attacker uploaded another malicious package named "ascii2text" to PyPI. In this instance, the malicious code was embedded in the "init.py" file. This file is commonly used in PyPI packages to define the behavior of the package. Like previous attacks, this package downloaded a file to a temporary directory. However, it used the ".dll" extension to disguise the stealer and was executed silently using "pythonw.exe."

Second Wave of W4SP Attacks

About three months after the initial discovery, the W4SP operators launched another campaign on PyPI, this time using the package named "apicolor." The techniques used in this attack differed from the previous one in the following ways:

Image Steganography: Steganography is a technique that hides secret data within another file like an image file. The malicious apicolor package downloaded a carefully crafted image file that concealed malicious code using steganography. After the image was downloaded, the malicious content was extracted and executed using the "judyb.lsb.reveal" function.

What is the W4SP Stealer? – A Review of W4SP Attacks 2

Polymorphic Mutation: Here, the loaded code was also different. This time, the attacker used both polymorphic mutation and obfuscation techniques to evade detection and analysis. Polymorphic mutation allows malicious code to constantly change structure and appearance, making it harder for security tools to detect and analyze. Additionally, Gzip was used for data compression during transmission for obfuscation.

What is the W4SP Stealer? – A Review of W4SP Attacks 3

Code Upgrade: The stealer’s code was improved in this attack compared to the previous one. It included new features to steal data related to crypto wallets, games, Telegram, and the victim’s location. The malicious code was in the "setup.py" file, which directly executed and installed the malware when the victim installed the package.

Distribution Method: In the previous attacks, the attacker used multiple fake Python packages to spread their malware. However, they leveraged only one malicious package disguised as a reputable and trusted package in this attack. They also created an open-source project on GitHub and introduced the malicious package into the project for distribution.

During this attack, the threat actor attempted to sell the stealer on Discord channels for $20, claiming it was undetectable. They also promised to release an executable version of the program. Shortly after, the attacker returned to PyPI under the identity of "halt" and published another malicious package. This time, the downloaded file was an executable with the same obfuscation techniques.

The Impersonator Attacks

In March 2023, traces of the W4SP Stealer were discovered once again. The distribution method in this attack showed significant differences, leading to suspicions that this might not be the same threat actor as the previous two incidents.

Distribution Method: This time, the attacker adopted custom names instead of mimicking those of trusted packages. The names of the publishers followed a pattern of combining names and numbers, such as Anne1337, Richard1337, Debbie1337, Christopher1337, Sara1337, and Kevin1337. They also replaced the servers for hosting the malicious payload with websites used for temporary file storage.

What is the W4SP Stealer? – A Review of W4SP Attacks 4

Second Stage Payload: Instead of loading an encrypted payload, the attackers directly loaded a sample of the W4SP malware. The sample remained unchanged compared to the one used in the second attack.

The cost of this attack was lower than the previous two, and the attacker hid their identity with more sophisticated techniques. It is possible that the attacker was an impersonator who was inspired by the previous W4SP attacks.

Protection Against the W4SP Stealer

Sangfor Solutions

Sangfor Endpoint Secure detects and mitigates the malicious files involved in W4SP Stealer attacks. Please update the software and virus database to the latest version. For customized versions, please consult customer support before updating. Integration with Sangfor Neural-X further enables Endpoint Secure to detect and respond to new and emerging threats.

Sangfor Cyber Guardian Managed Detection & Response service provides a "Human-Machine Collaboration" service model to help users enhance their security capabilities. Cyber Guardian offers security device policy checks and updates as well as security threat inspections to ensure robust protection against W4SP and other threats.

Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Name
Email Address
Business Phone Number
Tell us about your project requirements

Related Articles

CVE-2024-47575: Fortinet FortiManager Authentication Vulnerability

Date : 25 Oct 2024
Read Now

CVE-2024-38819: Path Traversal Vulnerability

Date : 19 Oct 2024
Read Now

CVE-2024-40766: SonicWALL SonicOS Access Control Flaw Vulnerability

Date : 12 Sep 2024
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Platform-X
Sangfor Access Secure

Meet the Author

About Sangfor

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail