Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI

Cyber Security Threat Summary:
According to a new report from Checkmarx, throughout 2023 threat actors have been distributing malicious Python packages disguised as legitimate obfuscation tools to execute BlazeStealer malware on targeted systems. Once executed, BlazeStealer will retrieve a malicious script from an external source and run a discord bot designed to enable the threat actor to gain complete control over the victim’s computer and perform the following actions:

  • Exfiltrate detailed host information
  • Steal passwords from the Chrome web browser
  • set up a keylogger
  • Download files from the victim's system
  • Capture screenshots and record both screen and audio
  • Render the computer inoperative by ramping up CPU usage, inserting a batch script in the startup directory to shut down the PC, or forcing a BSOD error with a Python script
  • Encrypt files, potentially for ransom
  • Deactivate Windows Defender and Task Manager
  • Execute any command on the compromised host
Security Officer Comments:
So far researchers have uncovered a total of eight malicious packages which include Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood, Taking a closer look, all of these package names start with “pyobf” which is set on purpose by the actors to be similar to genuine packages such as “pyobf2” and “pyobfuscator” that are commonly used by developers to obfuscate their Python code.

Suggested Correction(s):
69.2% of total downloads of the malicious packages originated from the United States followed by China (12.4%), Russia (5.5%), Ireland (3.0%), Hong Kong (1.6%), etc. This highlights the need for developers to be more careful when installing packages by verifying their source code and authenticity and using dependency scanning tools to identify outdated or vulnerable packages that might be exploited by threat actors.