What is the W4SP Information Stealer?
While colder weather puts most bugs at rest until spring ushers in warmer temps, there’s one critter with a different type of sting that doesn’t appear to be going away any time soon — the W4SP information stealer.
Supply chains have had a rough few years. The Covid-19 pandemic caused major supply chain disruptions the world over. Virtually every product rose in price while supplies dwindled. Bottlenecks choked the supply and demand pipeline. Ships full of products sat idly at ports waiting to be unloaded. Yes, it was a mess. Now, another type of supply chain is being targeted. Since mid-October, W4SP malware is attacking software supply chains; in this case, it’s using Python packages to launch an information stealer.
The Software Supply Chain
The software supply chain is as integral to developers as traditional supply chains are to consumers. If you haven’t heard of the software supply chain, that’s probably because you think of applications as being built entirely of custom code. Now, however, open-source libraries and components make up many applications, pulling functionality from different third-party sources. This essentially makes up the software supply chain, a large ecosystem interconnecting people, processes and systems. In short, the software supply chain allows developers to launch applications much faster. It takes advantage of what others have already addressed. It gives developers a major head start on the development process. The downside is that it can introduce attack vectors and expose vulnerabilities that create entry points for threats like the W4SP malware.
How W4SP Infected the Python Package Index (PyPI)
The programming language Python has gained tremendous steam and notoriety over the past few years, and for good reason. It’s easy to learn and use. It’s reliable and flexible. And there is a large support community and hundreds of frameworks and libraries from which to choose and use. It’s inarguably one of the most popular programming languages in use today. (Trivia Alert: Dutch developer Guido van Rossum developed Python in the late 1980’s. He named it after the famous British comedy group Monty Python. Why? Well, because he wanted Python to be fun. It’s quite apparent he accomplished his goal.)
W4SP found its way into the supply chain through the Python Package Index, or PyPI. Written in the Python programming language, PyPI is a large repository of software and code available to developers. A threat actor injected W4SP in PyPI by disguising it as one of the repository’s most downloaded files. Once downloaded, a script uses a downloader to snag the payload and launch it. Then the fun begins.
Among other things, the W4SP Stealer scrapes tokens from Discord user accounts, which is a social media forum that’s popular in the developer community. Of course, W4SP is in search of any and all sensitive information, as well, including credit cards, crypto wallets and passwords.
Polymorphism Presents (Detection) Problems
What makes W4SP malware hard to detect is that it’s polymorphic, which means its features and characteristics continually change. And changing encryption keys and file names makes it difficult for pattern-matching detection. By keeping infections unique, they fly under the radar more easily.
The Software Supply Chain Has Become A Prime Target
W4SP malware is just another of many recent examples of software supply chain attacks. Four attacks in the past 2 years were especially harmful and frightening — SolarWinds, Log4J, Kaseya and Codecov.
In December 2020, Russian intelligence service SVR added a backdoor to Orion software from Texas-based software company SolarWinds. SolarWinds helps organizations manage their systems and technology infrastructure(s). The breach gave the threat actors an undetected, unfettered journey onto the networks of thousands of SolarWinds customers.
Originally surfacing during the SolarWinds attack, threat actors took advantage of logging utility Log4J, which is used by most cloud service providers and many enterprises. They injected malicious code strings that ultimately downloaded and executed malware from remote servers. Attackers were granted access to victims’ systems.
In 2021, REvil, a Russia-based Ransomware-as-a-service (RaaS) gang targeted the customers of Miami, FL-based software company Kaseya. They deployed the malicious payload through Kaseya servers associated with VSA, the company’s remote monitoring and management software.
Like the SolarWinds attack, threat actors created a backdoor by taking advantage of a vulnerability. This time the victim was Codecov, a coverage testing tool. A modified script allowed them to pull environment variables from Codecov customers. Environment variables can maintain, among other things, preauthorization tokens.
It’s Time to Take Action
Whether or not you realize it, software supply chains play an integral role in our daily lives. There’s a good chance that today — possibly at this very moment — you’ll use an application that relied on the software supply chain. And when so many developers rely on and add to them, it’s easy to understand why they are targets.
That’s why it’s important to talk to tenured, talented cybersecurity professionals like those at Radware. They’ve been providing security and peace of mind to thousands of enterprises and the public sector for years. Reach out to them here; they would love to hear from you.