Resources Blog Russia-linked 'Lumma' crypto stealer now targets Python devs

Russia-linked 'Lumma' crypto stealer now targets Python devs

Russia-linked 'Lumma' crypto stealer now targets Python devs
5:41

Imagine being a developer who's building the next-gen crypto app by using popular open source components to speed up coding. Instead, you end up including a package in your build that, does accomplish what you are trying to, but additionally steals cryptocurrency on any system that it's installed on. That's 'crytic-compilers' for you.

Sonatype's automated malware detection systems identified a 'crytic-compilers' PyPI package named very closely after a fairly known legitimate Python library which is used by cryptocurrency developers to facilitate compilation of smart contracts, or digital agreements which are stored on the blockchain network.

Tracked as sonatype-2024-1561 and identified May 1, 2024 by us, the counterfeit 'crytic-compilers' component scored 436 downloads before being taken offline from PyPI.

Choose your components wisely

The counterfeit library is interesting in that, in addition to being named after the legitimate Python utility, 'crytic-compile', it aligns its version numbers with the real library which gets over 170,000 monthly downloads.

Whereas the real library's latest version stops at 0.3.7, the counterfeit 'crytic-compilers' version picks up right here, and ends at 0.3.11 — giving off the impression that this is a newer version of the component.

Some versions of the counterfeit component (e.g. 0.3.9) will even attempt to "install" the real library ('crytic-compile') to avoid suspicion (line 5 of 'setup.py'):

The game changes with the illicit component's 0.3.11 version, when it checks if you are running Windows. Should that be the case, the package wastes no time in running a bundled executable named 's.exe'.

An external security researcher, Dhanesh Dodia who also came across the counterfeit package this month states that "the variance in naming convention can potentially lead to confusion among users."

This is true especially because, the genuine 'crytic-compile' package "maintains a considerable level of popularity, evidenced by its 141 stars on GitHub," and "465 repositories that depend on 'crytic-compile,' underlining its significance within the crypto development community."

Russia-linked Lumma Windows stealer targets crypto wallets

Thankfully, by now, this 's.exe' has been identified as a problematic, malicious binary by several antivirus engines.

The malware, like other crypto stealers we have analyzed, employs anti-detection and stealth techniques to deter analysis by researchers and malware sandboxes alike, and further drops suspicious executables and accesses Windows registry settings.

A key aspect associated with this malicious Windows executable is the set of domains and IP addresses that the binary establishes a connection to:

acceptabledcooeprs[.]shop - 104[.]21.59.156
boredimperissvieos[.]shop - 172[.]67.186.30
holicisticscrarws[.]shop - 172[.]67.183.72
miniaturefinerninewjs[.]shop - 172[.]67.173.139
obsceneclassyjuwks[.]shop - 104[.]21.20.88
plaintediousidowsko[.]shop - 104[.]21.53.146
sweetsquarediaslw[.]shop - 172[.]67.203.170
zippyfinickysofwps[.]shop - 172[.]67.148.231

These Indicators of Compromise (IOCs) are associated with Lumma aka LummaC2 stealer. Lumma is a command and control (C2) trojan that looks for browser passwords, crypto wallets, and exfiltrates this information to threat actors.

The aforementioned domains have an active '/api' endpoint which commonly exists on domains linked to Lumma. These domains, all registered on Namecheap, have also turned on Cloudflare's DDoS protection. We further observed geo-blocks in place when attempting to access these domains from certain IP addresses.

Lumma's diverse distribution approach

Written in C and circulating online since at least August 2022, Lumma stealer is a Windows trojan that primarily targets cryptocurrency wallets and browser extensions. It is typically provided under a Malware-as-a-Service (Maas) model on Russian-speaking forums on the dark web. The malware is purportedly developed by a threat actor with alias, "Shamel." 

Over the years, Lumma has resurfaced several times and has leveraged a variety of channels for distribution. More recently, these have included, for example, trojanized bootleg apps, phishing emails to YouTube content creators, and pirated "'free' games with cheats."

Image

Interestingly, this very week as we were preparing this analysis, threat actors are also spreading the threat via drive-by downloads to ship fake browser updates on compromised or illicit websites. These "updates" ultimately drop Lumma stealer:



Sonatype's latest discovery of 'crytic-compilers' directly demonstrates seasoned threat actors now targeting Python developers and abusing open source registries like PyPI as a distribution channel for their potent data theft arsenal.

Users of Sonatype Repository Firewall are protected from counterfeit components like these, which would be blocked from entering their builds. We may discretionarily expand our blocklists periodically as similar packages surface and our investigation into this campaign progresses. If you're not already protected with Sonatype, get in touch so we can show you Repository Firewall in action.

Picture of Ax Sharma

Written by Ax Sharma

Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.