PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attacks
SentinelLabs, in collaboration with Checkmarx, has been tracking the activity and evolution of a threat actor dubbed “JuiceLedger”. In early 2022, JuiceLedger began running relatively low-key campaigns, spreading fraudulent Python installer applications with ‘JuiceStealer’, a
.NET application designed to steal sensitive data from victims’ browsers. In August 2022, the threat actor engaged in poisoning open-source packages as a way to target a wider audience with the infostealer through a supply chain attack, raising the threat level posed by this group considerably.
JuiceLedger operators have actively targeted PyPi package contributors in a phishing campaign, successfully poisoning at least two legitimate packages with malware. Several hundred more malicious packages are known to have been typosquatted.
In this post, we detail the evolution of JuiceLedger, describe the group’s attack vectors and activity, and provide an analysis of the JuiceStealer payload.
The supply chain attack on PyPi package contributors appears to be an escalation of a campaign begun earlier in the year which initially targeted potential victims through fake cryptocurrency trading applications, among them a bot the threat actors marketed as an “AI Crypto trading bot” named “The Tesla Trading bot”.
The attack on PyPI in August involves a far more complex attack chain, including phishing emails to PyPI developers, typosquatting, and malicious packages intended to infect downstream users with the JuiceStealer malware. This vector seems to be utilized in parallel to the earlier JuiceLedger infection method, as similar payloads were delivered around the same time through fake cryptocurrency ledger websites.
On August 24, 2022, PyPi published details of an ongoing phishing campaign targeting PyPi users. According to their report, this is the first known phishing attack against PyPI. The phishing email states that a mandatory ‘validation’ process requires the contributor to validate their package or risk having it removed from PyPI.
The phishing emails point victims to a Google site’s landing page mimicking the PyPI login page. The credentials provided there were sent to a known JuiceLedger domain:
Some of those phishing attacks appear to have been successful, leading to the compromise of legitimate code packages whose contributors credentials were compromised.
PyPI also reported that they had found a number of typosquatting packages that conformed to a similar pattern; JuiceLedger has also used typosquatting to deliver its malicious applications.
Typosquatting popular code packages is nothing new. Reports of similar attacks have emerged during the last few years, including the CrateDepression campaign targeting Rust developers and recently reported by SentinelLabs.
Compromised packages uploaded by JuiceLedger in the August campaign contain a short code snippet, responsible for downloading and executing a signed variant of JuiceStealer. The malicious code added is depicted below.
The code snippet added to those packages is quite similar to the ones added in the typosquatting packages. According to PyPI, the malicious code snippets were found on the following packages:
A look at the code snippet from compromised packages suggests that the actors added an indication of the compromised package in the registration URL.
JuiceLedger’s August campaign also contained a Ledger-themed fraudulent application. Users of Ledger, a hardware “cold storage” wallet technology for crypto assets, have been targeted with a digitally-signed version of JuiceStealer embedded in fake Ledger installation packs.
13CFDF20DFA846C94358DBAC6A3802DC0671EAB2 was used to sign a total of four samples, one of which appears to be unrelated, although all are malicious.
JuiceLedger’s infostealer, dubbed JuiceStealer, is a relatively simple
.NET application, internally named “meta”. First indications of the stealer started emerging in February this year. Over several iterations, the infostealer was embedded in a number of fraudulent applications and installers.
The first version of JuiceStealer (
d249f19db3fe6ea4439f095bfe7aafd5a0a5d4d2), uploaded to VirusTotal on February 13, appears to be incomplete and may be a test submitted by the developers. It is the first in a set of variants mimicking Python installers.
This sample iterates over processes containing the word “chrome”, shuts them down and then searches for Google Chrome Extension log files. The infostealer iterates over logs that contain the word “vault”, possibly searching for cryptocurrency vaults, and reports back to an embedded C2 server over HTTP.
A fully fledged version of the fraudulent installer was submitted a few days later as part of a zip file named “python-v23.zip” (
1a7464489568003173cd048a3bad41ca32dbf94f), containing a newer version of the infostealer, a legitimate Python installer and an instruction file, “INSTRUCTIONS.exe”.
This version of the infostealer introduces a new class, named ‘Juice’ (hence the name), and also searches for Google Chrome passwords, querying Chrome SQLite files. It also launches a Python installer contained in the zip named “config.exe”. Naming legitimate software “config.exe” appears to be common in various JuiceStealer variants.
Like many of the JuiceStealer samples we analyzed, it was compiled as a self-contained
.NET app. This makes the files significantly larger.
pdb path common to many earlier versions of the JuiceStealer contains the user name “reece” and internal project name “meta”.
Pivoting off the
pdb paths observed, we were able to link additional activities to JuiceLedger. Those, together with our additional findings of the development phases of JuiceStealer, suggest the group began operating in late 2021.
On January 30, a set of three fake installers compiled as self-contained applications were uploaded to VirusTotal from the submitter f40316fe, located in GB. The same submitter also uploaded the first variant of JuiceStealer, which also appears to be a test. All the fake installers had a similar
pdb path, containing the username “reece”, and appear to be the threat actor’s first iterations of the JuiceStelaer.
Throughout the research, we came across a possible connection to Nowblox, a scam website that operated in 2021, offering free Robux. Several applications named “Nowblox.exe” were systematically uploaded to VirusTotal from submitters in GB, all with the following
While the path on its own is not a very strong indication, we came across another link to Nowblox in our research, in the form of a file named “NowbloxCodes.iso”(
5eb92c45e0700d80dc24d3ad07a7e2d5b030c933). The use of an ISO file might suggest it was sent out in a phishing email, as ISO files have become a popular attack vector for bypassing email security products. However, we have no data to validate this.
The file contains an LNK file (
e5286353dec9a7fc0c6db378b407e0293b711e9b), triggering the execution of an obfuscated PowerShell command, which in turn runs
mstha to load an
.HTA file from
hxxps://rblxdem[.]com/brace.hta, which is currently offline.
rblxdem[.]com is hosted on
45.153.35[.]53, which was used to host several Ledger phishing domains as well as a JuiceStealer C2 domain
thefutzibag[.]com, providing another possible link to JuiceLedger.
Over time, JuiceLedger operators started using direct crypto-themed fraudulent applications, among them, an application they named “Tesla Trading bot”. Delivered in a similar scheme to the Python installer, it was embedded within a zip file with additional legitimate software. The JuiceStealer has evolved significantly during this period, adding support both for additional browsers as well as Discord.
The embedded instructions message is very similar to the one found in the fake Python installer, prompting users to disable their security solutions.
While the delivery mechanism remains unclear, it seems JuiceLedger operators maintained a website for the fake trading bot, prompting users to download the fraudulent application.
PyPI have stated that they are actively reviewing reports of malicious packages and have taken down several hundred typosquats. Package maintainers are urged to use 2FA authorization on their accounts where available and to confirm that the URL in the address bar is
http://pypi.org when entering credentials. Users can also check that the site’s TLS certificate is issued to
Maintainers who believe they may have been victim of a JuiceLedger attack are advised to reset passwords immediately and to report any suspicious activity to [email protected]
JuiceLedger appears to have evolved very quickly from opportunistic, small-scale infections only a few months ago to conducting a supply chain attack on a major software distributor. The escalation in complexity in the attack on PyPI contributors, involving a targeted phishing campaign, hundreds of typosquatted packages and account takeovers of trusted developers, indicates that the threat actor has time and resources at their disposal.
Given the widespread use of PyPI and other open source packages in enterprise environments, attacks such as these are a cause of concern and security teams are urged to review the provided indicators and take appropriate mitigation measures.
Fake Python installers
Nowblox ISO file
Get notified when we post new content.
Thanks! Keep an eye out for new content!
In the era of interconnectivity, when markets, geographies, and jurisdictions merge in the melting pot of the digital domain, the perils of the threat ecosystem become unparalleled. Crimeware families achieve an unparalleled level of technical sophistication, APT groups are competing in fully-fledged cyber warfare, while once decentralized and scattered threat actors are forming adamant alliances of operating as elite corporate espionage teams.
Get notified when we post new content.
Thanks! Keep an eye out for new content!