Threat Actors JuiceLedger's Newest Attack Campaign Uses PyPI Phishing

Industry: Technology | Level: Tactical | Sources: Checkmarx & SentinelOne

Collective research from SentinelLabs and Checkmarx provides details of threat actor JuiceLedger. Initial campaigns were observed in early 2022, spreading fake Python installer applications with the goal of obtaining sensitive user information from their browsers. However, their tactics changed recently as "In August 2022, the threat actor engaged in poisoning open-source packages as a way to target a wider audience with the Infostealer through a supply chain attack, raising the threat level posed by this group considerably." Researchers have identified various typosquatting packages with at least two legitimate packages being poisoned. The campaigns start with a fraudulent Google validation-themed phishing email. A malicious link provided in the email leads the victim to a credential harvesting page hosted on a Google site’s domain. Submissions made to the credential harvesting page result in the compromise of the contributor's code packages. Shared by Checkmarx of identified malicious packages and downloads, "The infected packages, version 0.1.6 of exotel (over 480,000 total downloads) and versions 2.0.2 and 4.0.2 of spam (over 200,000 total downloads) were taken down by now." Malicious packages downloaded currently have low detection rates and drop the JuiceStealer information-stealing malware. The malware queries SQLite files to identify credentials. Malicious packages are actively being reviewed by PyPI who have taken down several packages as indicated by Checkmarx. Contributors are urged to use two-factor authentication.

Anvilogic Scenario:

• Dependency Chain Attack

Anvilogic Use Case:

• Package installation

‍