{"id":28708,"date":"2024-12-16T13:33:34","date_gmt":"2024-12-16T13:33:34","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=28708"},"modified":"2024-12-16T13:33:34","modified_gmt":"2024-12-16T13:33:34","slug":"aiocpa-pypi-package-crypto-wallets","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/aiocpa-pypi-package-crypto-wallets\/","title":{"rendered":"Aiocpa PyPI Package Targets Crypto Wallets"},"content":{"rendered":"<p><strong>A malicious package named aiocpa was identified on the Python Package Index (PyPI)<\/strong>, engineered to steal sensitive cryptocurrency wallet information. Unlike the previous attacks that leveraged PyPI, that generally relied on typosquatting or impersonation, the attackers developed a seemingly legitimate crypto client tool and later inserted malicious code through updates.<\/p>\n<h2>Aiocpa PyPI Package Targets Crypto Wallets<\/h2>\n<p>ReversingLabs (RL) <a href=\"https:\/\/x.com\/ReversingLabs\/status\/1859969249093025796\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">detected the aiocpa package on November 21<\/a> using their machine-learning-powered Spectra Assure platform. The malicious payload was embedded in the \u201cutils\/sync.py\u201d file. This file contained obfuscated code, a common characteristic of malware frequently observed in open-source repositories such as PyPI and npm.<\/p>\n<p>Upon deobfuscation, researchers found that the code exfiltrated sensitive arguments, such as cryptocurrency trading tokens, <a href=\"https:\/\/gridinsoft.com\/command-and-control\">to a remote Telegram bot<\/a>. These tokens could be exploited to steal crypto assets.<\/p>\n<figure id=\"attachment_28712\" aria-describedby=\"caption-attachment-28712\" style=\"width: 1265px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/Gc_vVNuWkAAwK7j.png\" alt=\"A wrapper function screenshot\" width=\"1265\" height=\"179\" class=\"size-full wp-image-28712\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/Gc_vVNuWkAAwK7j.png 1265w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/Gc_vVNuWkAAwK7j-300x42.png 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/Gc_vVNuWkAAwK7j-1024x145.png 1024w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/Gc_vVNuWkAAwK7j-768x109.png 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/Gc_vVNuWkAAwK7j-860x122.png 860w\" sizes=\"auto, (max-width: 1265px) 100vw, 1265px\" \/><figcaption id=\"caption-attachment-28712\" class=\"wp-caption-text\">A wrapper function which exfiltrates function arguments to a telegram chat. (source: ReversingLabs)<\/figcaption><\/figure>\n<p>The obfuscation techniques used involved recursive layers of Base64 encoding combined with zlib compression. This approach made the malicious intent difficult to detect without employing advanced analysis tools. Such methods are what makes this attack different from other malware spreading attempts that <a href=\"https:\/\/gridinsoft.com\/blogs\/pypi-malware-outbreak\/\">leveraged PyPI repository<\/a>.<\/p>\n<h2>Attack Strategy<\/h2>\n<p>The attackers employed a novel tactic <strong>by creating and maintaining their own package<\/strong> rather than impersonating existing ones. Initially, aiocpa appeared to be a legitimate cryptopay API client with regular updates, proper documentation, and a GitHub repository. The account behind the package also seemed credible, with a history of contributions dating back to January 2024.<\/p>\n<p>However, malicious code was introduced in versions 0.1.13 and 0.1.14, released on November 20. These versions were capable of decoding base64-encoded commands and executing them. As you may have guessed, these commands had purely malicious intent.<\/p>\n<p>Such actions are typical of malware but were notably absent in earlier versions and the original GitHub repository. Additionally, the attacker attempted to hijack an existing PyPI project named pay, possibly to exploit its user base or visibility.<\/p>\n<h2>Challenges in Detection<\/h2>\n<p>According to the researchers&#8217; reports, traditional application security tools were insufficient to detect this threat. At first glance, the package\u2019s project page appeared legitimate. It featured a well-maintained <a href=\"https:\/\/gridinsoft.com\/cryptocurrency\">cryptocurrency payment API client<\/a> with several versions released since September 2024 and organized documentation.<\/p>\n<p>The maintainer\u2019s profile seemed credible, with another package actively maintained since March 2024. Additionally, the linked GitHub page displayed numerous contributions dating back to January 2024. So, a developer assessing security would find no reason for suspicion, especially with <strong>over 10k downloads<\/strong> suggesting it was trustworthy.<\/p>\n<p>However, the malicious code was covertly embedded in the package published to PyPI. It went unnoticed in the GitHub repository. Nevertheless, some advanced tools were able to uncover the malicious activity through behavioral differential analysis. By comparing different package versions, the tool pinpointed unexpected behaviors at the file level, enabling RL researchers to identify the threat.<\/p>\n<p style=\"padding-top:15px;padding-bottom:15px;\"><a href=\"\/download\/antimalware\" rel=\"nofollow\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"\/blogs\/wp-content\/uploads\/2022\/07\/env01.webp\" alt=\"Aiocpa PyPI Package Targets Crypto Wallets\" width=\"798\" height=\"336\" class=\"aligncenter size-full\" title=\"\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A malicious package named aiocpa was identified on the Python Package Index (PyPI), engineered to steal sensitive cryptocurrency wallet information. Unlike the previous attacks that leveraged PyPI, that generally relied on typosquatting or impersonation, the attackers developed a seemingly legitimate crypto client tool and later inserted malicious code through updates. Aiocpa PyPI Package Targets Crypto [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":28714,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[41,619,28,1547],"class_list":{"0":"post-28708","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-cryptocurrency","9":"tag-cybersecurity","10":"tag-malware","11":"tag-pypi"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/Aiocpa-malware-targets-crypto-wallets.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/28708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=28708"}],"version-history":[{"count":9,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/28708\/revisions"}],"predecessor-version":[{"id":28730,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/28708\/revisions\/28730"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/28714"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=28708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=28708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=28708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}