Full Report
Cryptocurrency enthusiasts have been the target of another sophisticated and invasive malware campaign. This campaign was orchestrated through multiple attack vectors, including a malicious Python package named “cryptoaitools” on PyPI and deceptive GitHub repositories. This multi-stage malware, masquerading as a suite of cryptocurrency trading tools, aims to steal a wide range of sensitive data and drain victims’ crypto wallets.Key FindingsA malicious package “cryptoaitools” was uploaded to PyPI, impersonating legitimate cryptocurrency trading tools, complete with a seemingly functional trading bot implementation.The malware activated automatically upon installation, targeting both Windows and macOS operating systems.The attacker also distributed the malware through GitHub repositories, expanding the attack surface.A deceptive graphical user interface (GUI) was used to distract victims while the malware performed its malicious activities in the background.The malware employed a multi-stage infection process, utilizing a fake website that appeared legitimate to host and deliver second-stage payloads.The malware displayed extensive data theft capabilities focused on cryptocurrency-related information, including wallet data, browser data, and sensitive system files.Attack FlowInitial Infection VectorThe CryptoAITools malware campaign began with the upload of a malicious package named “cryptoaitools” to PyPI. This package contained code for a seemingly legitimate cryptocurrency trading bot, including functions for automated trading on DEXs, price monitoring, and liquidity management. This legitimate-looking code served to disguise the malware’s true nature.The malware activates automatically upon installation through the package’s __init__.py file. This file imports and executes the run_base() function from base.py:__init__.py fileThe run_base() function determines the victim’s operating system and executes the appropriate malware variant:The malware employs platform-specific helper functions to execute different versions for Windows and macOS systems. While the Windows version (basec_helper.py) is less obfuscated, the macOS variant (base_helper.py) is more heavily disguised. Despite these differences, both versions perform similar malicious activities, including data theft and cryptocurrency-related operations. These helper functions are responsible for downloading and executing additional malicious payloads, thus initiating subsequent stages of the attack.Multi-Stage Infection ProcessThe CryptoAITools malware employs a sophisticated multi-stage infection process, leveraging a fake website to deliver its secondary payloads.After the initial infection via the PyPI package, the malware’s second stage begins with the execution of base_helper.py (for macOS) or basec_helper.py (for Windows). These scripts are responsible for downloading additional malicious components from a deceptive website.The malware uses a domain that appears legitimate: https://coinsw.app. This domain hosts a convincing appearance of a cryptocurrency trading bot service, complete with fake user reviews, subscriber counts, and detailed descriptions of AI-driven trading features. This elaborate disguise attempts to add credibility if a curious user investigates the domain.The helper script decodes a base64-encoded URL and a list of filenames:It then downloads these files from the fake website.These downloaded files constitute the secondary payloads, expanding the malware’s capabilities. Notable among these is MHTBot.py, which is executed immediately after download (For MAC a different set of files are downloaded and the main.py file is then executed immediately after download)This multi-stage approach allows the malware to:Maintain a small initial footprint in the PyPI packageEvade detection during the initial installationFlexibly update and expand its capabilities post-infectionUse a legitimate-looking website as a hosting platform for malicious payloadsDeceptive GUIA unique aspect of this attack, compared to many malicious packages we have seen in the past, is that the CryptoAITools malware incorporates a graphical user interface (GUI) as a key component of its social engineering strategy. This GUI appears the moment the second-stage malware is activated and presents itself as an “AI Bot Starter” application. It is designed to distract users and collect sensitive information while the malware operates covertly. The interface’s role is straightforward: it begins by prompting users to create a password “to start using the bot securely.” Once a new password is added, a fake setup process is displayed, featuring a progress bar and loading animations. While users are engaged and focused on this seemingly legitimate interface and its fake setup process, the malware continues its malicious operations in the background, including data theft and system manipulation.Data HeistThe CryptoAITools malware conducts an extensive data theft operation, targeting a wide range of sensitive information on the infected system. The primary goal is to gather any data that could aid the attacker in stealing cryptocurrency assets. The malware’s data collection capabilities are implemented across several modules, each focusing on specific types of data or system areas.Types of Data TargetedCryptocurrency wallet data from various applications (Bitcoin, Ethereum, Exodus, Atomic, Electrum, etc.)Browser data: saved passwords, cookies, and browsing historyData from a wide range of browser extensions related to cryptocurrencySensitive system files, including SSH keys and configuration filesFiles from user directories (Downloads, Documents, Desktop) containing keywords related to cryptocurrencies, passwords, and financial informationTelegram application data, including configuration files and message databasesSystem terminal historyData from Apple Notes and Stickies applications on macOS systemsData Exfiltration MethodThe malware’s exfiltration process begins with the collected data stored in a hidden .temp directory in the user’s home folder. For each file, the exfiltration script changes the file extension to ‘.minecraft’. It then uploads the file to gofile.io using their API. Upon successful upload, gofile.io returns a download link, which is then sent to a Telegram bot of the attacker. After transmission, the local copy of the exfiltrated file is deleted. The process also includes error handling to prevent disruptions to the malware’s operation.The AttackerOur continued investigation into this campaign revealed the attacker was employing multiple infection vectors and social engineering tactics. The attack is not limited to the malicious Python package on PyPI, but extends to other platforms and methods:PyPI Package: The initial discovery of the malicious “cryptoaitools” package on PyPI.GitHub Repository: The attacker also distributes the malware through a GitHub repository named “Meme-Token-Hunter-Bot”. This repository contains similar malicious code, potentially infecting users who clone and run the code directly from GitHub.Fake Website: The attacker operates a fake website at https://coinsw.app/, which mimics a legitimate cryptocurrency trading bot service.Telegram Channel: The website’s “Buy” page leads to a Telegram chat named “Pancakeswap prediction bot”, where the attacker directly engages with potential victims.In the Telegram chat, the attacker employs various tactics to lure potential victims. They offer “bot support” to establish credibility and trust. To entice users, they promote their GitHub repository as hosting their “most powerful bot,” appealing to those seeking advanced trading tools. The attacker then proposes an attractive offer: a free trial period followed by a monthly subscription model, making the proposition seem both risk-free and professional. To further personalize the experience and maintain ongoing engagement, they offer customized configuration options and continuous support, which creates a facade of a legitimate, customer-focused service.This multi-platform approach allows the attacker to cast a wide net, potentially reaching victims who might be cautious about one platform but trust another.Analysis of the GitHub repository interactions suggests that the scope of the attack may be larger than initially thought. Users who have starred or forked the malicious repository could potentially be victims, though further investigation would be needed to confirm this.ImpactThe CryptoAITools malware campaign has severe consequences for victims and the broader cryptocurrency community. Individuals face immediate financial losses through cryptocurrency theft, along with long-term risks of identity theft and privacy breaches due to extensive data exfiltration.The true scope of the attack may be larger than initially thought, particularly given the GitHub repository interactions. Users who starred or forked the malicious “Meme-Token-Hunter-Bot” repository are potential victims, significantly expanding the attack’s reach.On a larger scale, this attack erodes trust in cryptocurrency tools and platforms, potentially slowing adoption and innovation in the cryptocurrency space.ConclusionThis cryptobot malware serves as a potent reminder that the stakes — and the risks — are high in the world of cryptocurrency. As digital assets continue to gain value and popularity, we can expect to see more sophisticated threats targeting this space.As part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious activities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play, including suspicious entry points, and promptly alert our customers to help protect them from potential threats.PackagescryptoaitoolsIOChxxps[:]//coinsw[.]app/basecw/main[.]pyhxxps[:]//coinsw[.]app/basecw/upd[.]pyhxxps[:]//coinsw[.]app/basec/loading[.]gifhxxps[:]//coinsw[.]app/basecw/tad[.]pyhxxps[:]//coinsw[.]app/basecw/ciz[.]pyhxxps[:]//coinsw[.]app/basecw/ps[.]pyhxxps[:]//coinsw[.]app/basecw/cat_dance[.]gifhxxps[:]//api[.]telegram[.]org/bot7337910559:AAF3fBlgDrcT9R07QpnqUWQ7_eKmnD_1QMc/sendMessagehxxps[:]//coinsw[.]app/basecw/firstpage[.]pyhxxps[:]//tryenom[.]com/active-addon/nkbihfbeogaeaoehlefnkodbefgpgknn/bulo[.]php?pass=hxxps[:]//coinsw[.]app/basec/tx[.]pyhxxps[:]//coinsw[.]app/basec/AiBotPro[.]pyhxxps[:]//coinsw[.]app/basec/tg[.]pyhxxps[:]//coinsw[.]app/basecw/security[.]pyhxxps[:]//coinsw[.]app/basec/password_creation[.]pyhxxps[:]//coinsw[.]app/basec/MHTBot[.]pyhxxps[:]//coinsw[.]app/basec/one[.]pyhxxps[:]//coinsw[.]app/basec/ArbitrageBot[.]pyhxxps[:]//coinsw[.]app/basec/ph[.]pyhxxps[:]//coinsw[.]app/basecw/ss[.]pyhxxps[:]//coinsw[.]app/basecw/ara[.]pyhxxps[:]//coinsw[.]app/basecw/cat[.]pyhxxps[:]//coinsw[.]app/basecw/cf[.]pyhxxps[:]//coinsw[.]app/basecw/local[.]pyhxxps[:]//coinsw[.]app/basec/updel[.]pyhxxps[:]//coinsw[.]app/basec/password_creation_advanced[.]pyhxxps[:]//coinsw[.]app/basec/addonal[.]pyhxxps[:]//coinsw[.]apphxxps[:]//github[.]com/CryptoAiBotsCryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack was originally published in Checkmarx Zero on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Tool/Technique: CryptoAITools Malware Campaign
## Overview
This is a sophisticated, multi-stage malware campaign targeting cryptocurrency enthusiasts. It utilizes a malicious Python package named "cryptoaitools" distributed via PyPI and deceptive GitHub repositories, masquerading as a legitimate suite of cryptocurrency trading tools to steal sensitive data and drain crypto wallets.
## Technical Details
- Type: Malware Family (Cryptobot/Infostealer)
- Platform: Windows, macOS
- Capabilities: Automatic execution upon installation, multi-stage payload delivery, extensive data exfiltration (wallet credentials, browser data, system files), distraction via deceptive GUI.
- First Seen: Not explicitly mentioned in the text, but based on recent supply chain monitoring activities.
## MITRE ATT&CK Mapping
* **Execution**
- T1059.001 - Command and Scripting Interpreter: Python
* **Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Inferred, standard for automated execution)
* **Discovery**
- T1005 - Data from Local System (Targets wallet data, browser data)
* **Collection**
- T1005 - Data from Local System (Specifically targeting cryptocurrency wallet data)
* **Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Uses HTTP/HTTPS to download payloads)
## Functionality
### Core Capabilities
- **Initial Access via Supply Chain:** Exploits the open-source supply chain by being uploaded to PyPI as `cryptoaitools`.
- **Automatic Activation:** Executes malicious code immediately upon package installation via the `__init__.py` file initiating the `run_base()` function.
- **Platform Evasion:** Uses platform-specific helper functions (`basec_helper.py` for Windows, `base_helper.py` for macOS) to deploy tailored variants.
- **Data Exfiltration:** Focuses heavily on stealing cryptocurrency wallet data, browser secrets, and sensitive system files.
### Advanced Features
- **Multi-Stage Infection:** Minimizes initial footprint by fetching subsequent, larger payloads (e.g., `MHTBot.py` or `main.py` on macOS) from a controlled, deceptive website.
- **Social Engineering via GUI:** Deploys a distracting Graphical User Interface ("AI Bot Starter") that prompts the user for a password and displays a fake setup process while the actual malware operates covertly in the background.
- **C2 Infrastructure Deception:** Uses a fake, legitimate-looking cryptocurrency trading bot website (`hxxps://coinsw[.]app/`) to host and deliver secondary malicious files, adding credibility to the operation.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: `__init__.py`, `base.py`, `base_helper.py` (macOS), `basec_helper.py` (Windows), `MHTBot.py` (Example secondary payload)
- Registry Keys: [Not provided]
- Network Indicators:
- Payload Distribution/C2: `hxxps://coinsw[.]app/`
- Specific C2 Endpoints: `hxxps://coinsw[.]app/basecw/main[.]py`, `hxxps://coinsw[.]app/basecw/upd[.]py`
- Telemetry/Communication: `hxxps://api[.]telegram[.]org/bot7337910559:AAF3fBlgDrcT9R07QpnqUWQ7_eKmnD_1QMc/sendMessage`
- External Site Contact: `hxxps://tryenom[.]com/active-addon/nkbihfbeogaeaoehlefnkodbefgpgknn/bulo[.]php?pass=`
- Behavioral Indicators: Automatic execution upon package import, downloading secondary Python scripts, displaying a password creation prompt GUI while background processes run.
## Associated Threat Actors
- The text does not name a specific threat actor group but characterizes the attack as sophisticated and focused on cryptocurrency theft, often associated with financially motivated groups.
## Detection Methods
- Signature-based detection: Signatures for specific package names (`cryptoaitools`).
- Behavioral detection: Monitoring for Python processes automatically executing installation/initialization scripts upon package import, unusual network connections initiated by Python scripts to external C2 servers, and the appearance of a password prompt while background system activity increases.
- YARA rules: Applicable to static analysis of the downloaded secondary payloads for known indicators or string patterns.
## Mitigation Strategies
- Prevention measures: Strict dependency review when installing packages from PyPI, utilizing security tools to scan dependencies for malicious code/behavior before installation.
- Hardening recommendations: Limiting execution privileges for unfamiliar scripts, monitoring system file and browser data access attempts by Python interpreters post-installation.
## Related Tools/Techniques
- Other known malicious PyPI packages used for supply chain attacks.
- Cryptojacking or Credential Stealer malware targeting crypto wallets.
- GitHub repository cloning used as an alternative delivery vector for malware.