Cybercriminal Posed as 'Helpful' Stack Overflow User To Recommend Malware Hosted on PyPi

An anonytmous reader shared a recent report from BleepingComputer:Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware - answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware... "We further noticed that a StackOverflow account 'EstAYA G' [was] exploiting the platform's community members seeking debugging help [1, 2, 3] by directing them to install this malicious package as a 'solution' to their issue even though the 'solution' is unrelated to the questions posted by developers," explained Sonatype researcher Ax Sharma in the Sonatype report. Sonatype's researcher "noticed that line 17 was laden with ...a bit too many whitespaces," according to the report, "in turn hiding code much further to the right which would be easy to miss, unless you notice the scroll bar. The command executes a base64-encoded payload..." And then, reports BleepingComputer...When deobfuscated, this command will download an executable named 'runtime.exe' from a remote site and execute it. This executable is actually a Python program converted into an .exe that acts as an information-stealing malware to harvest cookies, passwords, browser history, credit cards, and other data from web browsers. It also appears to search through documents for specific phrases and, if found, steal the data as well. All of this information is then sent back to the attacker, who can sell it on dark web markets or use it to breach further accounts owned by the victim.

Read more of this story at Slashdot.