PyPI package that infected my PC

[Aeit 0]

Hello,
Today thanks to my stupidity I was a victim of a hack based on phyton.
https://www.bleepingcomputer.com/news/security/pypi-packages-caught-stealing-credit-card-numbers-discord-tokens/

To make it short.
There's a script that after launch grabs tokens, and it probably does a lot more if you enter the password that hacker send you.
But thankfully ESET was fast enough and I realized something is off. File ended in quarantine.
What it did was stealing my active session token from Discord App on windows gaining hackers full access to my account and bound credit card and they made gifts for hundreds of $$$
After changing password they lost access.

But what bugs me the most is that they hacked also second Discord account of my brother.
And also cleaned his bank account because of credit card bound to account.
How's that even possible if it wasn't logged on? He might logged on my PC months ago that's all association he has with my PC.

I run full scan on system and found nothing more.
Is there something I can make to be sure I'm safe?
I send file to analyse and full package trough support but wont post it here for obvious reasons.

[Marcos 5,074]

What was detected by ESET? Could you post the appropriate detection record here?

According to the linked article, the malicious Python packages have already been removed from PyPI so it's not possible to get them any more. I can ask researches if we had got them before they were removed.

[itman 1,659]

Of note from the bleepingcomputer.com article:

Quote

Such credit card numbers are often saved in web browsers by users aiming to use them later via "autocomplete."

This feature and like ones in the browser should be the first thing disabled. Below is the setting in Firefox. Additionally, browser cache should be cleared prior to browser shutdown when performing financial transactions if not done so automatically; e.g. private browser mode.

5 hours ago, Marcos said:

According to the linked article, the malicious Python packages have already been removed from PyPI so it's not possible to get them any more.

Assume these and anything else that can be used malicious is readily available on Dark Web sites.

Edited November 28, 2021 by itman

[Aeit 0]

6 hours ago, Marcos said:

What was detected by ESET? Could you post the appropriate detection record here?

According to the linked article, the malicious Python packages have already been removed from PyPI so it's not possible to get them any more. I can ask researches if we had got them before they were removed.

What do you mean by detection record?

 

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Time">11/27/2021 7:40:09 PM</COLUMN>
      <COLUMN NAME="Scanner">Real-time file system protection</COLUMN>
      <COLUMN NAME="Object type">file</COLUMN>
      <COLUMN NAME="Object">C:\Users\Aeit\Downloads\Programs\python.py</COLUMN>
      <COLUMN NAME="Detection">Python/PSW.Agent.EF trojan</COLUMN>
      <COLUMN NAME="Action">cleaned by deleting</COLUMN>
      <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Users\Aeit\Downloads\Programs\Akatori.exe (705F624417E9FD4DEF290A33998E6DD82F68CCAB).</COLUMN>
      <COLUMN NAME="Hash">42BEC56C088D24281B3C3BD015D4CC28B93920B5</COLUMN>
      <COLUMN NAME="First seen here">11/27/2021 7:40:07 PM</COLUMN>
    </RECORD>
 </LOG>
</ESET>

 

[itman 1,659]

Also of note from the bleepingcomputer.com article:

Quote

"An authentication token allows the attacker to impersonate the user that originally held the token (similar to HTTP session cookies)."

"The payload stealing the tokens is based on the infamous dTGPG (Discord Token Grabber Payload Generator) payload."

Eset does detect this:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
11/28/2021 11:14:38 AM;HTTP filter;file;https://pastebin.com/0q0Fk0Ej;Python/PSW.Agent.CD trojan;connection terminated;xxxxxxx;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (03EE8F59FD88B4EE607CA05C3BDE55EF05707F0C).;6554B9F3103151110D513D808C0B32C39193B61A;

However, the question is if Eset will detect it when obfuscated? Of note is Python scripts are not scan-able via Win AMSI interface which Eset uses to de-obfuscate scripts :

Quote

However, "the packages aryi and suffer were obfuscated using PyArmor, suggesting that malware developers are experimenting with different obfuscation methods," state the researchers in their report.

Edited November 28, 2021 by itman

[itman 1,659]

Additional mitigation advise:

Quote

What Should You Do?

Tips for affected developers

If, after checking your PyPI dependencies, you have identified that noblesse (or any of its clones) has been locally installed, we suggest:

1. Checking which passwords were saved in Edge, and changing these compromised passwords in each respective website (plus any websites where these passwords were reused).The check can be performed by opening Edge and navigating to edge://settings/passwords. The full list of saved passwords (which were potentially compromised) can be seen under Saved passwords.
2. Checking which credit cards were saved in Chrome and consider canceling these credit cards.The check can be performed by opening Chrome and navigating to chrome://settings/payments. The full list of saved credit cards (which were potentially compromised) can be seen under Payment methods.

If you have identified that pytagora (or any of its clones) has been locally installed on your machine, while unlikely that you were infected with malware, we suggest following the usual malware checking steps, such as running a full scan with your installed Anti-Virus software.

 

https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/

Edited November 28, 2021 by itman

[Aeit 0]

I'm not using Chrome, and my browser doesn't have that option to save cards.
I'm also not saving passwords to browser, I have paid app for that but sadly every browser have synced passwords.

As far I understand it was able to steal tokens directly form discord as it also acts as a browser - at least in my knowledge.
It doesn't even install - it just unpacks in AppData\Local\Discord\app-1.0.9003.
You don't have to download it, login trough site redirects you to app also. Works like PWA in my opinion.
The sad story about this is that stores way too many informations.
It wasn't just active session token. They somehow managed to hack second account that was previously logged in.
Because I don't have access to that second credit card.
Its the only valid reasoning.

[itman 1,659]

1 hour ago, Aeit said:

It doesn't even install - it just unpacks in AppData\Local\Discord\app-1.0.9003.
You don't have to download it, login trough site redirects you to app also.

This article: https://blog.checkpoint.com/2021/10/21/using-discord-infrastructure-for-malicious-intent/ gets into how you can be infected with Discord based malware w/o having Discord installed.

Examples:

Quote

We discovered that the Discord Bot API, a simple Python implementation which eases modifications and shortens the development process, can easily turn the bot into a simple Remote Access Trojan (RAT – Tool used by malware developers to gain full access and remote control on a user’s system).

The bot uses the “Discord” Python module, which does not require the Discord app to be installed on a victim’s machine. The Module  then supplies the relevant API token to listen to incoming messages on a pre-defined Discord server.

Apart from the fact that Discord based malware doesn’t require Discord to be running or even installed on the victim’s machine, it can be easily be compiled into an executable file (.exe). The malware can then run independently on any Windows machine – using Discord or Python makes no difference.

Such malware can be disguised as a legitimate program, which, once opened, infects the victim’s machine and provides the attacker with remote control access.

Edited November 28, 2021 by itman