Full Report
Cybersecurity researchers have uncovered malicious packages uploaded to the Python Package Index (PyPI) repository that act as checker tools to validate stolen email addresses against TikTok and Instagram APIs. All three packages are no longer available on PyPI. The names of the Python packages are below - checker-SaGaF (2,605 downloads) steinlurks (1,049 downloads) sinnercore (3,300 downloads)
Analysis Summary
This summary is based on the provided article detailing several malicious packages discovered on PyPI and npm.
# Tool/Technique: checker-SaGaF (PyPI Package)
## Overview
A malicious Python package uploaded to PyPI designed to validate if a given email address is associated with active TikTok and Instagram accounts by querying their respective APIs.
## Technical Details
- Type: Malware (Information gathering tool)
- Platform: Python (intended for use in Python environments)
- Capabilities: Checks email validity against TikTok password recovery API and Instagram login endpoints.
- First Seen: Recent discovery reported by Socket researchers.
## MITRE ATT&CK Mapping
- TA0007 - Credential Access
- T1589.001 - Gather Victim Identity Information: Email Addresses (Indirectly, by validating pre-existing lists)
- TA0011 - Collection
- T1119 - Data from Local System (By obtaining lists of valid emails to target later)
## Functionality
### Core Capabilities
- Sends HTTP POST requests to TikTok's password recovery API.
- Sends HTTP POST requests to Instagram's account login endpoints.
- Determines if an account exists corresponding to the input email address.
### Advanced Features
- Provides threat actors with validated user lists, useful for social engineering, targeted spam, or credential stuffing against known active accounts.
## Indicators of Compromise
- File Hashes: N/A (Package removed)
- File Names: checker-SaGaF
- Registry Keys: N/A
- Network Indicators: Utilizes TikTok and Instagram API endpoints.
- Behavioral Indicators: Execution results in HTTP POST requests to proprietary vendor APIs for account lookup.
## Associated Threat Actors
- Unknown threat actors utilizing supply chain compromise via PyPI.
## Detection Methods
- Monitoring dependency installation (e.g., `pip install`) for suspicious package names.
- Network monitoring for unusual HTTP requests to TikTok/Instagram recovery endpoints originating from unexpected processes.
## Mitigation Strategies
- Strict dependency management and vetting for all third-party packages.
- Implementing controls that restrict processes from making direct requests to sensitive external APIs unless explicitly required and authorized.
## Related Tools/Techniques
- steinlurks, sinnercore (Other packages identified in the same campaign for similar validation purposes).
***
# Tool/Technique: steinlurks (PyPI Package)
## Overview
A malicious Python package on PyPI similar to `checker-SaGaF`, specifically targeting Instagram account validation using forged HTTP POST requests designed to mimic those from the official Android application.
## Technical Details
- Type: Malware (Information gathering tool)
- Platform: Python
- Capabilities: Verifies Instagram account presence via various API endpoints, mimicking mobile app traffic.
- First Seen: Recent discovery.
## MITRE ATT&CK Mapping
- TA0007 - Credential Access
- T1589.001 - Gather Victim Identity Information: Email Addresses
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (If validated lists are exfiltrated)
## Functionality
### Core Capabilities
- Sends forged HTTP POST requests to evade detection.
- Targets Instagram API endpoints:
- `i.instagram[.]com/api/v1/users/lookup/`
- `i.instagram[.]com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/`
- `i.instagram[.]com/api/v1/accounts/send_recovery_flow_email/`
- `www.instagram[.]com/api/v1/web/accounts/check_email/`
### Advanced Features
- Attempts to evade network detection by using signatures/patterns associated with the Instagram Android app traffic.
## Indicators of Compromise
- File Hashes: N/A (Package removed)
- File Names: steinlurks
- Registry Keys: N/A
- Network Indicators: Targeted domains include `i.instagram[.]com` and `www.instagram[.]com`.
- Behavioral Indicators: HTTP traffic matching Instagram's internal API structure.
## Associated Threat Actors
- Unknown threat actors utilizing supply chain compromise via PyPI.
## Detection Methods
- Network traffic analysis for requests to Instagram API V1 endpoints originating from non-mobile application processes.
- YARA/Signature detection against known strings or patterns used in the HTTP requests.
## Mitigation Strategies
- Implementing WAF/API gateway rules to flag traffic that spoofs mobile client headers/signatures if originating from server environments.
- Strict source code review for packages requesting network access.
## Related Tools/Techniques
- checker-SaGaF, sinnercore.
***
# Tool/Technique: sinnercore (PyPI Package)
## Overview
A multifaceted malicious Python package on PyPI that validates Instagram accounts (via password reset triggers) and also includes functionality for harvesting Telegram user data and querying cryptocurrency market prices. It also targets PyPI programmers for reconnaissance.
## Technical Details
- Type: Malware (Multi-functional tool)
- Platform: Python, targeting external targets like Instagram, Telegram, and PyPI infrastructure.
- Capabilities: Instagram account validation, Telegram scraping, crypto price fetching, PyPI package information harvesting.
- First Seen: Recent discovery.
## MITRE ATT&CK Mapping
- TA0007 - Credential Access
- T1598.003 - Spearphishing Link (By validating targets for future attacks)
- TA0006 - Credential Access
- T1003.001 - OS Credential Dumping (If Telegram/PyPI process memory is targeted later)
- TA0011 - Collection
- T1119 - Data from Local System (Harvesting PyPI package metadata)
## Functionality
### Core Capabilities
- **Instagram Validation:** Triggers the "forgot password" flow against `b.i.instagram[.]com/api/v1/accounts/send_password_reset/` using a target username.
- **Telegram Scraping:** Extracts name, user ID, bio, and premium status.
- **Crypto Utilities:** Fetches real-time Binance prices or performs currency conversions.
- **PyPI Reconnaissance:** Fetches detailed information on any PyPI package.
### Advanced Features
- PyPI package harvesting suggests the actor may use this feature to build fake developer profiles or identify potential targets within the Python development community.
## Indicators of Compromise
- File Hashes: N/A (Package removed)
- File Names: sinnercore
- Registry Keys: N/A
- Network Indicators: Targets B.i.instagram[.]com endpoints, Telegram infrastructure (implied), and potentially Binance APIs.
- Behavioral Indicators: Attempts to initiate password reset flows and performs external requests based on username/crypto inputs.
## Associated Threat Actors
- Unknown threat actors utilizing supply chain compromise via PyPI.
## Detection Methods
- Monitoring outbound traffic to known Instagram API regions utilizing password reset parameters.
- Monitoring for unusual requests targeting Telegram or Binance data.
## Mitigation Strategies
- Disabling or strictly limiting execution of unknown dependencies.
- Utilizing least privilege to prevent Python scripts from easily scraping sensitive system/user data they do not require.
## Related Tools/Techniques
- checker-SaGaF, steinlurks.
***
# Tool/Technique: dbgpkg (PyPI Package)
## Overview
A malicious PyPI package masquerading as a debugging utility. It implants a backdoor on the developer's system to facilitate remote code execution and data exfiltration. It shares a payload structure with the previously flagged `discordpydebug` package.
## Technical Details
- Type: Malware (Backdoor/Implant)
- Platform: Python environment (Developer workstation)
- Capabilities: Code execution, data exfiltration, persistence mechanism via a backdoor.
- First Seen: Prior to recent disclosure; associated with activity potentially dating back to early 2022.
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Implied persistence mechanism)
- TA0011 - Collection
- T1005 - Data from Local System (Data exfiltration)
- TA0003 - Execution
- T1059.006 - Command and Scripting Interpreter: Python
## Functionality
### Core Capabilities
- Implanting a backdoor upon installation/execution.
- Establishing remote access/control.
- Exfiltrating data from the compromised system.
### Advanced Features
- Uses a specific backdoor technique involving **GSocket**, which bears similarity to malware used by the Phoenix Hyena group.
- Employs **function wrapping** to obfuscate malicious routines and hide execution flow, indicating a sophisticated actor aiming for low detection rates and long-term presence.
## Indicators of Compromise
- File Hashes: N/A (Package removed)
- File Names: dbgpkg
- Registry Keys: N/A
- Network Indicators: C2 communication channel established by the backdoor (specific C2 unknown from overview).
- Behavioral Indicators: Unusual process injection or execution patterns, especially related to file system access and outbound network connections post-installation.
## Associated Threat Actors
- Potentially linked to **Phoenix Hyena** (DumpForums/Silent Crow) due to payload similarities, though attribution is tentative ("copycat" is also suggested).
## Detection Methods
- Signature detection for the specific GSocket/backdoor payload structure shared with `discordpydebug`.
- Heuristic/Behavioral detection for function wrapping techniques designed to bypass standard analysis.
## Mitigation Strategies
- Implementing strict security policies to prevent execution environment contamination (e.g., using isolated build environments).
- Application control solutions to prevent unknown or unsigned executables/scripts from making outbound connections or writing persistence mechanisms.
## Related Tools/Techniques
- GSocket backdoor technique (resembles Phoenix Hyena implants).
- discordpydebug (shares the same payload).
***
# Tool/Technique: requestsdev (PyPI Package)
## Overview
A third malicious PyPI package reported alongside `dbgpkg`, believed to be part of the same sophisticated campaign. It also utilizes a backdoor technique resembling that of the Phoenix Hyena group.
## Technical Details
- Type: Malware (Backdoor/Implant)
- Platform: Python environment
- Capabilities: Backdoor implantation using GSocket resemblance, data exfiltration.
- First Seen: Prior to recent disclosure.
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- TA0011 - Collection
- TA0004 - Privilege Escalation (Potentially, depending on payload execution context)
## Functionality
### Core Capabilities
- Deploying a backdoor using the GSocket technique.
- Focused on establishing long-term presence and data harvesting.
### Advanced Features
- The use of function wrapping and the specific GSocket architecture suggests the actor is highly careful to avoid detection and maintain persistence.
## Indicators of Compromise
- File Hashes: N/A (Package removed)
- File Names: requestsdev
- Registry Keys: N/A
- Network Indicators: C2 communication (implied).
- Behavioral Indicators: Use of function wrapping at the code level.
## Associated Threat Actors
- Potentially linked to **Phoenix Hyena** or a sophisticated copycat.
## Detection Methods
- Detection focuses on the unusual implementation of the GSocket backdoor payload, especially in processes executing newly installed Python modules.
## Mitigation Strategies
- Auditing third-party package installations for signs of complex code obfuscation or dependency confusion techniques.
## Related Tools/Techniques
- dbgpkg, Phoenix Hyena implants.
***
# Tool/Technique: koishi‑plugin‑pinhaofa (npm Package)
## Overview
A malicious npm package marketed as a spelling/autocorrect helper for Koishi, a chatbot framework. It functions as a data-exfiltration backdoor that scans all chat messages for specific hexadecimal strings and forwards the entire message content to a hard-coded QQ account.
## Technical Details
- Type: Malware (Data Exfiltration Plugin)
- Platform: Node.js / Koishi Chatbot framework
- Capabilities: Intercepts and exfiltrates full chat messages containing specific 8-character hexadecimal strings.
- First Seen: Recent discovery.
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Exfiltration via hardcoded QQ account)
- TA0011 - Collection
- T1005 - Data from Local System (Collecting message content passing through the bot)
## Functionality
### Core Capabilities
- Scans every message processed by the Koishi framework for an 8-character hexadecimal string.
- If found, forwards the *entire* message content to a hard-coded QQ account.
### Advanced Features
- Harvesting target data can include secrets, embedded credentials, API tokens (like truncated JWTs or Git hashes), URLs, or IDs, as these often manifest as 8-character hex values.
## Indicators of Compromise
- File Hashes: N/A (Package removed)
- File Names: koishi‑plugin‑pinhaofa
- Registry Keys: N/A
- Network Indicators: Communications targeted toward a specific QQ account ID.
- Behavioral Indicators: High volume of encrypted/sensitive data being sent to external chat service endpoints.
## Associated Threat Actors
- Unknown threat actors utilizing supply chain compromise via npm targeting chatbot infrastructure.
## Detection Methods
- Monitoring outbound connections from Koishi processes to external chat infrastructure endpoints.
- Code analysis of Koishi plugins looking for message manipulation and external sending capabilities.
## Mitigation Strategies
- Never install framework plugins without thorough review, especially those promising core functionality like "autocorrect" which require high message access.
- Principle of Least Privilege for runtime execution profiles of chatbot servers.
## Related Tools/Techniques
- Similar to other supply chain attacks targeting framework ecosystem extensions.