• Cyber Syrup
  • Posts
  • New Malicious Python Package Targeting Cryptocurrency Users

New Malicious Python Package Targeting Cryptocurrency Users

Cybersecurity researchers have recently uncovered a malicious Python package, CryptoAITools, that poses as a cryptocurrency trading tool

October 31, 2024

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

New Malicious Python Package Targeting Cryptocurrency Users

Cybersecurity researchers have recently uncovered a malicious Python package, CryptoAITools, that poses as a cryptocurrency trading tool. However, this package has a hidden purpose: to steal sensitive data and drain funds from victims' crypto wallets. The package has been distributed through the Python Package Index (PyPI) and GitHub, with over 1,300 downloads before it was removed from PyPI.

Below, we break down who is at risk, how to protect yourself, and what to know about the tactics used in this attack.

Understanding the Threat: How CryptoAITools Works

The CryptoAITools malware activates immediately after installation, executing a multi-stage infection process tailored for both Windows and macOS systems. By exploiting the __init__.py file, the malware determines the target system’s OS and downloads specific payloads, which are then executed to harvest sensitive data.

One notable technique used in this attack is the incorporation of a graphical user interface (GUI), intended to mislead victims. While the GUI presents a fake setup process, the malware runs silently in the background, stealing valuable data.

Multi-Stage Payload Delivery

The malware payloads are downloaded from a website disguised as a legitimate cryptocurrency trading bot service at coinsw[.]app. This fake website is designed to lend credibility, deceiving developers who might visit it directly. By hosting payloads on this fake site, the threat actor can easily expand the malware’s capabilities by updating the payloads as needed, making this a flexible and evolving threat.

Who Is at Risk?

Cryptocurrency users, especially those who frequently use Python packages and GitHub repositories for trading tools, are the primary targets. In particular, individuals with the following profiles should be cautious:

  1. Cryptocurrency Traders and Investors – Users who regularly interact with crypto wallets (e.g., Bitcoin, Ethereum, Exodus, Atomic, Electrum) and extensions are at high risk, as these assets are directly targeted by the malware.

  2. Developers and Researchers – Individuals who use Python packages for crypto-related functions or clone repositories from GitHub could be inadvertently installing malicious software.

  3. MacOS Users – In addition to Windows, macOS users are specifically targeted with data theft from Apple Notes and Stickies, which often contain private information.

This malware casts a wide net, especially through its availability on multiple trusted platforms (PyPI and GitHub). The tactic of employing a Telegram channel to promote the GitHub repository further increases its reach and potential to deceive cautious users.

How to Protect Yourself

Given the sophistication of this campaign, it's crucial for users to take specific steps to protect their assets and sensitive data:

  1. Verify Package Authenticity – Only download Python packages from trusted sources, and double-check that any crypto-related tool has a good reputation. Check the developer's background and reviews before downloading.

  2. Beware of Fake GUIs – Malicious software often includes a fake interface to deceive users. If a tool appears suspicious or unusual, stop installation and investigate further.

  3. Secure Your Cryptocurrency Wallets – Use strong passwords and multi-factor authentication on wallets and exchanges. Avoid storing sensitive keys or information in easily accessible files, such as Notes or Stickies on macOS.

  4. Monitor and Update Security Tools – Ensure your antivirus and anti-malware software are up-to-date to detect emerging threats like CryptoAITools. Use tools that can scan Python packages and GitHub repositories for potentially harmful code.

  5. Regularly Review Your GitHub Activities – If you starred or forked the Meme Token Hunter Bot or similar repositories, remove these and monitor for unusual activity.

  6. Stay Informed – Follow cybersecurity news related to crypto scams, as attackers constantly update their tactics.

Additional Concerns: Multi-Platform and Social Media Exploits

This campaign highlights a broader trend of threat actors exploiting multi-platform strategies. By distributing malware through both PyPI and GitHub, and marketing it on Telegram, attackers increase their chances of reaching users on various platforms. In addition to the malicious GitHub repository, they have also been seen advertising subscription services and “technical support” via Telegram, creating a false sense of legitimacy.

Conclusion

The CryptoAITools malware campaign serves as a stark reminder of the growing risks in the cryptocurrency space. Through sophisticated techniques such as fake GUIs and multi-stage payloads, attackers can lure in unsuspecting users and gain access to highly sensitive information. By taking precautionary measures, remaining vigilant, and scrutinizing new tools before installation, cryptocurrency users and developers can better protect themselves against emerging threats.