Cybersecurity researchers have discovered a new malicious Python package that masquerades as a cryptocurrency trading tool but harbors functionality designed to steal sensitive data and drain assets from victims’ crypto wallets.
The package, named “CryptoAITools,” is said to have been distributed via both Python Package Index (PyPI) and bogus GitHub repositories. It was downloaded over 1,300 times before being taken down on PyPI.
“The malware activated automatically upon installation, targeting both Windows and macOS operating systems,” Checkmarx said in a new report shared with The Hacker News. “A deceptive graphical user interface (GUI) was used to distract vic4ms while the malware performed its malicious ac4vi4es in the background.”
The package is designed to unleash its malicious behavior immediately after installation through code injected into its “__init__.py” file that first determines if the target system is Windows or macOS in order to execute the appropriate version of the malware.
Present within the code is a helper functionality that’s responsible for downloading and executing additional payloads, thereby kicking-off a multi-stage infection process.
Specifically, the payloads are downloaded from a fake website (“coinsw[.]app”) that advertises a cryptocurrency trading bot service, but is in fact an attempt to give the domain a veneer of legitimacy should a developer decide to navigate to it directly on a web browser.
This approach not only helps the threat actor evade detection, but also allows them to expand the malware’s capabilities at will by simply modifying the payloads hosted on the legitimate-looking website.
A notable aspect of the infection process is the incorporation of a GUI component that serves to distract the victims by means of a fake setup process while the malware is covertly harvesting sensitive data from the systems.
“The CryptoAITools malware conducts an extensive data theft operation, targeting a wide range of sensitive information on the infected system,” Checkmarx said. “The primary goal is to gather any data that could aid the attacker in stealing cryptocurrency assets.”
This includes data from cryptocurrency wallets (Bitcoin, Ethereum, Exodus, Atomic, Electrum, etc.), saved passwords, cookies, browsing history, cryptocurrency extensions, SSH keys, files stored in Downloads, Documents, Desktop directories that reference cryptocurrencies, passwords, and financial information, and Telegram.
On Apple macOS machines, the stealer also takes the step of collecting data from Apple Notes and Stickies apps. The gathered information is ultimately uploaded to the gofile[.]io file transfer service, after which the local copy is deleted.
Checkmarx said it also discovered the threat actor distributing the same stealer malware through a GitHub repository named Meme Token Hunter Bot that claims to be “an AI-powered trading bot that lists all meme tokens on the Solana network and performs real-time trades once they are deemed safe.”
This indicates that the campaign is also targeting cryptocurrency users who opt to clone and run the code directly from GitHub. The repository, which is still active as of writing, has been forked once and starred 10 times.
Also managed by the operators is a Telegram channel that promotes the aforementioned GitHub repository, as well as offers monthly subscriptions and technical support.
“This multi-platform approach allows the attacker to cast a wide net, potentially reaching victims who might be cautious about one platform but trust another,” Checkmarx said.
“The CryptoAITools malware campaign has severe consequences for victims and the broader cryptocurrency community. Users who starred or forked the malicious ‘Meme-Token-Hunter-Bot’ repository are potential victims, significantly expanding the attack’s reach.”
