Insights, news, education and announcements from PolySwarm

W4SP Infostealer

Written by PolySwarm Tech Team | Dec 5, 2022 7:09:46 PM



Executive Summary

Checkmarx recently reported on W4SP, an infostealer malware hidden in tainted PyPi packages.

Key Takeaways

  • W4SP is a Discord malware family used as an infostealer. It is hidden in PyPi packages.
  • W4SP can steal various types of data, including Discord accounts, passwords, crypto wallets, credit card information, and other files.
  • Checkmarx attributes W4SP activity to an individual who runs the W4SP Discord server.
What is W4SP Infostealer?

W4SP is a Discord malware capable of stealing all Discord accounts, passwords, crypto wallets, credit card information, and other interesting files on a victim's machine. It then sends this information to the threat actor. W4SP developers tout that the malware is undetectable and protected by obfuscation. It includes measures to maintain persistence at startup. W4SP is polymorphic and uses steganography to hide code within PyPi packages. The malware is currently available for sale for $20 USD.

When an infected PyPi package is installed, setup.py is executed, and other Python packages are installed. One of these packages is judyb, which provides steganography utilities. The setup.py script downloads a .png image and saves it to the victim machine’s temp directory. Setup.py then uses the lsb.reveal function to extract code from the previously downloaded .png file. The payload data is base64 encoded. Once it is decoded and executed, it downloads another piece of code, which is polymorphic and highly obfuscated. The gzip encoded code is decoded and loaded, fetching additional code from threat actor infrastructure. This code is stored in the temp directory and modifies a registry key to establish persistence. The victim machine is now infected with W4SP stealer.

Who is Behind W4SP?

Checkmarx attributes W4SP stealer to a threat actor who operates the W4SP Discord server. Checkmarx researchers discovered the threat actor’s Discord server URL in the malware’s code. The Discord server was managed by the user Alpha.#0001. The threat actor’s Discord profile is connected to a Steam account with the username negrosss, and the actor previously called himself zeeckt. According to the Steam profile, the profile owner is located in Florida. Checkmarx researchers pivoted on the name zeeckt and discovered a YouTube channel with the same username. The YouTube channel contained videos of the threat actor building Discord hacking tools.

IOCs

PolySwarm is actively monitoring for samples of W4SP infostealer and will add them to our data set when available.

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports