Software supply chain security firm Phylum spotted the campaign. Phylum said that it discovered the campaign after noticing a flurry of activity around typosquats of the popular Python requests package.
Typosquats take advantage of simple typos to install malicious packages.
In this case, the PyPI typos include: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests.
Phylum later discovered the attacker publishing the following NPM packages that also take advantage of typosquatting: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr.
As clones of the official libraries, they often go unnoticed until it’s too late.
Dependent on the OS of the victim’s device, this particular malware downloads a relevant Golang binary. When executed, the desktop background of the victim’s computer is updated with a fake CIA image and the malware will attempt to encrypt some files.
A README file is placed by the malware on the desktop that asks the user to contact the individual on Telegram and pay “a small fee of $100” in BTC, ETH, LTC, or XMR. Failing to do so will result in the deletion of the decryption key, the attacker claims.
According to Phylum, the attack is ongoing (as of 13 December 2022) but a new version of the ransomware has been released that has also limited the supported architectures.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.