PyPI Packages Leak User Data to Telegram Bot, Iraqi Cybercriminals Suspected
Experts at Checkmarx have uncovered PyPI packages containing a malicious script in the “init.py” file that transmits user data to a Telegram bot.
The malicious packages, uploaded by a user named “dsfsdfds,” were part of a larger cybercriminal operation. The primary objective of the campaign is to steal users’ confidential data and transmit it to a Telegram bot associated with cybercriminals from Iraq. The operation has been active since 2022. The Telegram channel hosting the bot contains over 90,000 messages in Arabic.
The list of malicious packages on PyPI includes:
- testbrojct2
- proxyfullscraper
- proxyalhttp
- proxyfullscrapers
The malicious script in these packages scans the victim’s file system, particularly the root directory and the DCIM folder. The script searches for files with the extensions “.py,” “.php,” and “.zip,” as well as images with the extensions “.png,” “.jpg,” and “.jpeg.” The discovered files and their paths in the file system are exfiltrated to Telegram without the user’s knowledge.
Hardcoded sensitive information, such as the bot token and chat ID, allowed researchers to gain insights into the cybercriminals’ infrastructure and operations. The researchers accessed the Telegram bot and monitored its activities.
The bot’s activity history dates back to 2022, long before the malicious packages were released on PyPI. Most of the messages were in Arabic. Analysis revealed that the bot operator managed numerous other bots and was likely based in Iraq.
Initially, the bot functioned as an underground market, offering services for boosting views and followers on Telegram and Instagram, spam services, and discounts on Netflix subscriptions. However, further examination of the message history unveiled more dangerous activities related to financial fraud and system compromise.
The discovery of the malicious packages and the subsequent investigation into the Telegram bot shed light on a complex cybercriminal operation. What appeared to be an isolated case of malicious packages revealed a vast criminal ecosystem. The Checkmarx research team continues to investigate the attack to gather additional information on the perpetrators’ methods.