JuiceLedger – From Low-Key Phishing Campaigns to a Sophisticated Supply Chain Attack

Open-source software libraries become frequent targets of attackers, who view them as an attractive path to distributing malware and stealing credentials. In August 2022, the threat actor JuiceLedger targeted PyPI contributors with a phishing campaign and successfully compromised various legitimate packages. Read on to know more.

In early 2022, JuiceLedger ran relatively low-key campaigns that spread fraudulent Python installer applications with a .NET application, ‘JuiceStealer,’ designed to steal sensitive data from users’ browsers.

In August 2022, the threat actor altered its technique and started poisoning open-source packages to target a wider audience with the information stealer through a supply chain attack. Thus, there was a significant rise in the threat level posed by this group.

The JuiceLedger operators actively targeted PyPi package contributors through the latest phishing campaign, poisoning at least two legitimate packages with malware. Furthermore, several hundred more malicious packages are suspected to be typo squatted.

Evolution of the JuiceStealer Malware

Virustotal discovered JuiceStealer in February when someone (probably a threat actor) submitted a Python program with the capability to install the malware secretly.

The threat actors have developed JuiceStealer using the .Net programming framework and searches for saved passwords in Google Chrome. After carefully examining the code, the researchers linked the JuiceStealer malware to activity that started in 2021 and has been evolving since then. They established a possible connection to Nowblox, a malicious site that offers free online in-game currency Roblox.

Researchers said that over time, the threat actor, which they referred to as JuiceLedger, started using crypto-themed scam apps, like the Tesla Trading bot. These apps came in zip files, accompanied by additional legitimate software.

JuiceLedger used a more complex attack chain for executing the attack on PyPI in August. These include typo-squatting, malicious packages, and phishing emails to PyPI developers to inject JuiceStealer malware into downstream users’ systems.

The researchers at SentinelLabs suspect that Juiceledger utilized the vector in parallel to the earlier infection method as similar payloads got delivered through fake cryptocurrency ledger websites.

The Modus Operandi

The threat actor’s modus operandi involves sending PyPI users a phishing email informing them that Google is implementing the latest validation process for publishing packages on PyPI.
The email claims the measure was Google’s response to a rise in malicious PyPI packages uploaded to the registry.
It warned developers to validate their code packages with Google expeditiously and avoid their removal from the registry. Furthermore, the phishing email noted, “Packages not validated before September 2022 will get removed promptly.”
PyPI users clicking on the link got redirected to a malicious webpage, spoofed to look like PyPI’s login page.
When users entered their credentials, the page sent the information to a JuiceLedger-controlled domain – linkedopports[dot]com.
The threat actor convinced at least two developers to share their credentials, giving JuiceLedger a pathway to access and poison their widely used PyPI packages with malicious code.

The Extent of the Damage

One of the packages (version 0.1.6 of “Exotel”) had over 480,000 downloads when it got infected. The other malicious package (versions 2.0.2 and 4.0.2 of “spam”) had 200,000 downloads. The PyPI administrators removed both packages after discovering them, according to Checkmarx.

The malicious code installed in a development environment queries Chrome SQLite files, searches for Google Chrome passwords, and launches a Python installer included in the zip “config.exe.” Furthermore, the information stealer searches for logs containing the word “vault” (probably searching for cryptocurrency vaults) and reports back to an attacker’s command and control server over HTTP.

PyPI’s Response

PyPI stated that they were actively reviewing reports of the infected packages and several taken-down typosquats. Furthermore, they have urged Package maintainers to confirm the URL http://pypi[.]org in the address bar when entering credentials and use 2FA authorization on their accounts when available. Users can check the site’s TLS certificate is issued to pypi.org.

Additionally, they have requested maintainers who believe they are victims of the JuiceLedger attack to reset passwords and report any suspicious activity to security@pypi.org. Checkmarx recommends checking the network traffic against the below-listed IOCs and encourages contributors to use 2FA.

hxxps://python-release[.]com
hxxps://python-release[.]com/python-install.scr
hxxps://linkedopports[.]com
hxxps://linkedopports[.]com/pyp/resp.php?live=Installation
hxxps://ledgdown[.]com
hxxps://ledgdown[.]com/LedgerSetup.zip
LedgerSetup.scr — 8e97c6883e7af5cc1f88ac03197d62298906ac4a35a789d94cc9fde45ee7ea13
python-install.scr — 60434af3ebe924efabc96558e6c8d8176bf4eb06dd6cc47b4c491da9964be874

How To Mitigate Such Supply Chain Attacks?

If you are a package maintainer, we strongly encourage you to apply the platform’s recommendations to prevent or mitigate attacks on your account.
As a developer, you must define a strict vendor policy and ensure no silent running updates, a common sight with package managers.
You must follow the latest vulnerabilities discovered in your dependencies by periodically checking the GitHub advisory database. Some tools available in the market automatically submit pull requests on your repository and update the dependency where a critical vulnerability was identified recently.

A robust tool for Python users:

To defend against various typo-squatting attacks like Juiceledger, use a lock file. A good lock file will have the following attributes:

Version pins: they will make your builds deterministic and predictable.
Hashes: They are a robust way to verify the integrity of your package.
Full dependency graph: It allows you to control your packages’ dependencies.

Expert Views

Amitai Ben, threat intelligence researcher, SentinelOne.

Attackers exploit the fact that organizations and developers will always need to utilize open-source packages. A robust way to minimize exposure for developers contributing open source code to the public repositories is to enable 2FA (two-factor authentication) on their account in package managers. It will reduce the risk of account takeover by cybercriminals.

Furthermore, users of open source packages must know that popular packages are connected to Git repositories from where the development process takes place. If they find discrepancies between the package on the package manager and the repository, they must treat it as a sign of account takeover and suspicious activity.

Pypi Admins

The significant step towards our broader efforts to enhance the security of the Python ecosystem and all PyPI users is ensuring the widely used projects have basic protections. To improve the general security posture of the Python ecosystem, PyPI is implementing a 2FA (two-factor authentication) requirement for critical projects. The condition will get implemented in the coming months.

Researchers, SentinelLabs

JuiceLedger quickly evolved from an opportunistic infection a few months ago to a sophisticated supply chain attack targeting a major software distributor. The increasingly sophisticated attack on PyPI members that included a targeted phishing campaign, the hijacking of trusted developer accounts, and numerous printed packages suggest that the cybercriminal had adequate time and resources at their disposal.

Final Words

PyPI is not the only code repository that malicious actors have targeted recently. Security Analysts have reported numerous incidents involving other popular registries like npm and Maven Central. The growing attacks have heightened the attention on software supply chain security, especially due to the potential for nation-state-backed attackers (like the malicious Russian actor behind the SolarWinds compromise) to exploit the same vulnerability in their attack campaigns.

To mitigate the risk businesses must implement more advanced and adaptive security measures. This includes developing better solutions for phishing protection, which must be based on a dynamic understanding of the evolving threat landscape.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.