A place to cache linked articles (think custom and personal wayback machine)
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

index.html 14KB

5ヶ月前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201
  1. <!doctype html><!-- This is a valid HTML5 document. -->
  2. <!-- Screen readers, SEO, extensions and so on. -->
  3. <html lang="en">
  4. <!-- Has to be within the first 1024 bytes, hence before the `title` element
  5. See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
  6. <meta charset="utf-8">
  7. <!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
  8. <!-- The viewport meta is quite crowded and we are responsible for that.
  9. See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
  10. <meta name="viewport" content="width=device-width,initial-scale=1">
  11. <!-- Required to make a valid HTML5 document. -->
  12. <title>Cybercriminals pose as "helpful" Stack Overflow users to push malware (archive) — David Larlet</title>
  13. <meta name="description" content="Publication mise en cache pour en conserver une trace.">
  14. <!-- That good ol' feed, subscribe :). -->
  15. <link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
  16. <!-- Generated from https://realfavicongenerator.net/ such a mess. -->
  17. <link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
  18. <link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
  19. <link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
  20. <link rel="manifest" href="/static/david/icons2/site.webmanifest">
  21. <link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
  22. <link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
  23. <meta name="msapplication-TileColor" content="#f7f7f7">
  24. <meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
  25. <meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
  26. <meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
  27. <!-- Is that even respected? Retrospectively? What a shAItshow…
  28. https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
  29. <meta name="robots" content="noai, noimageai">
  30. <!-- Documented, feel free to shoot an email. -->
  31. <link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
  32. <!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
  33. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  34. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  35. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  36. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  37. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  38. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  39. <script>
  40. function toggleTheme(themeName) {
  41. document.documentElement.classList.toggle(
  42. 'forced-dark',
  43. themeName === 'dark'
  44. )
  45. document.documentElement.classList.toggle(
  46. 'forced-light',
  47. themeName === 'light'
  48. )
  49. }
  50. const selectedTheme = localStorage.getItem('theme')
  51. if (selectedTheme !== 'undefined') {
  52. toggleTheme(selectedTheme)
  53. }
  54. </script>
  55. <meta name="robots" content="noindex, nofollow">
  56. <meta content="origin-when-cross-origin" name="referrer">
  57. <!-- Canonical URL for SEO purposes -->
  58. <link rel="canonical" href="https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-helpful-stack-overflow-users-to-push-malware/">
  59. <body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">
  60. <article>
  61. <header>
  62. <h1>Cybercriminals pose as "helpful" Stack Overflow users to push malware</h1>
  63. </header>
  64. <nav>
  65. <p class="center">
  66. <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
  67. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
  68. </svg> Accueil</a> •
  69. <a href="https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-helpful-stack-overflow-users-to-push-malware/" title="Lien vers le contenu original">Source originale</a>
  70. <br>
  71. Mis en cache le 2024-05-31
  72. </p>
  73. </nav>
  74. <hr>
  75. <p><img alt="Stack Overflow" src="https://www.bleepstatic.com/content/hl-images/2024/05/29/stackoverflow-header.jpg"></p>
  76. <p>Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware—answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware.</p>
  77. <p>Sonatype researcher Ax Sharma (and a writer at BleepingComputer) discovered this new PyPi package is part of a previously known 'Cool package' campaign, named after a string in the package's metadata, that targeted Windows users last year.</p>
  78. <p>This PyPi package is named 'pytoileur' and was uploaded by threat actors to the PyPi repository over the weekend, claiming it was an API management tool. Notice how the package has the "Cool package" string in the Summary metadata field, indicating it is part of this ongoing campaign. </p>
  79. <div>
  80. <figure class="image"><img alt="Malicious pytoileur PyPi package" src="https://www.bleepstatic.com/images/news/malware/c/cool-package-stackoverflow/pytoileur-package.jpg"><figcaption><strong>Malicious pytoileur PyPi package</strong><br><em>Source: Sonatype</em></figcaption></figure></div>
  81. <p>Malicious packages like this are usually promoted using names similar to other popular packages, a process called typo-squatting.</p>
  82. <p>However, with this package, the threat actors took a more novel approach by <a href="https://archive.is/MU5JA" target="_blank" rel="nofollow noopener">answering</a> <a href="https://archive.is/https://stackoverflow.com/questions/78545964/pandas-dataframe-select-dtypes-not-selecting-intended-datatypes" target="_blank" rel="nofollow noopener">questions</a> on Stack Overflow and promoting the package as a solution.</p>
  83. <div>
  84. <figure class="image"><img alt="Stack Overflow answer promoting malicious PyPi package" src="https://www.bleepstatic.com/images/news/malware/c/cool-package-stackoverflow/stackoverflow-answer.jpg"><figcaption><strong>Stack Overflow answer promoting malicious PyPi package</strong><br><em>Source: BleepingComputer</em></figcaption></figure></div>
  85. <p> </p>
  86. <p>As Stack Overflow is a widely used platform for developers of all skill sets to ask and answer questions, it provides a perfect environment to spread malware disguised as programming interfaces and libraries.</p>
  87. <p>"We further noticed that a StackOverflow account "EstAYA G" created <a href="https://stackoverflow.com/users/25291597/estaya-g" target="_blank" rel="nofollow noopener">roughly 2 days ago</a> is now exploiting the platform's community members seeking debugging help [<a href="https://stackoverflow.com/questions/78544624/kivy-file-produces-blank-screen" target="_blank" rel="nofollow noopener">1</a>, <a href="https://stackoverflow.com/questions/78545964/pandas-dataframe-select-dtypes-not-selecting-intended-datatypes" target="_blank" rel="nofollow noopener">2</a>, <a href="https://stackoverflow.com/questions/78545955/how-to-get-manipulated-table-from-put-datatable-in-pywebio/78546345#78546345" target="_blank" rel="nofollow noopener">3</a>] by directing them to install this malicious package as a "solution" to their issue even though the "solution" is unrelated to the questions posted by developers," explained Sharma in the <a href="https://www.sonatype.com/blog/pypi-crypto-stealer-targets-windows-users-revives-malware-campaign" target="_blank" rel="nofollow noopener">Sonatype report</a>.</p>
  88. <p>In this case, the pytoileur package contains a 'setup.py' files that pads a base64 encoded command to execute with spaces so it is hidden unless you enable word wrap in your IDE or text file editor.</p>
  89. <div>
  90. <figure class="image"><img alt="Obfuscated command to execute in setup.py" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" data-src="https://www.bleepstatic.com/images/news/malware/c/cool-package-stackoverflow/obfuscated-command.jpg" class="b-lazy"><figcaption><strong>Obfuscated command to execute in setup.py</strong><br><em>Source: BleepingComputer</em></figcaption></figure></div>
  91. <p>When deobfuscated, this command will download an executable named 'runtime.exe' [<a href="https://www.virustotal.com/gui/file/48004654bf491a126acc07b5ad376012a43c4b5254ebbf516b762254d7be3fbd" target="_blank" rel="nofollow noopener">VirusTotal</a>] from a remote site and execute it.</p>
  92. <div>
  93. <figure class="image"><img alt="Deobfuscated Base64-encoded command" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" data-src="https://www.bleepstatic.com/images/news/malware/c/cool-package-stackoverflow/deobfuscated-command.jpg" class="b-lazy"><figcaption><strong>Deobfuscated Base64-encoded command</strong><br><em>Source: BleepingComputer</em></figcaption></figure></div>
  94. <p>This executable is actually a Python program converted into an .exe that acts as an information-stealing malware to harvest cookies, passwords, browser history, credit cards, and other data from web browsers.</p>
  95. <p>It also appears to search through documents for specific phrases and, if found, steal the data as well.</p>
  96. <p>All of this information is then sent back to the attacker, who can sell it on dark web markets or use it to breach further accounts owned by the victim.</p>
  97. <p>While malicious PyPi packages and information-stealers are nothing new, the cybercriminals' strategy to pose as helpful contributors on Stack Overflow is an interesting approach as it allows them to exploit the trust and authority of the site in the coding community.</p>
  98. <p>This approach serves as a reminder of the constantly changing tactics of cybercriminals and, unfortunately, illustrates why you can never blindly trust what someone shares online.</p>
  99. <p>Instead, developers must verify the source of all packages they add to their projects, and even if it feels trustworthy, check the code (with word wrap enabled) for unusual or obfuscated commands that will be executed.</p>
  100. </article>
  101. <hr>
  102. <footer>
  103. <p>
  104. <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
  105. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
  106. </svg> Accueil</a> •
  107. <a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
  108. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
  109. </svg> Suivre</a> •
  110. <a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
  111. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
  112. </svg> Pro</a> •
  113. <a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
  114. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
  115. </svg> Email</a> •
  116. <abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
  117. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
  118. </svg> Légal</abbr>
  119. </p>
  120. <template id="theme-selector">
  121. <form>
  122. <fieldset>
  123. <legend><svg class="icon icon-brightness-contrast">
  124. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
  125. </svg> Thème</legend>
  126. <label>
  127. <input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
  128. </label>
  129. <label>
  130. <input type="radio" value="dark" name="chosen-color-scheme"> Foncé
  131. </label>
  132. <label>
  133. <input type="radio" value="light" name="chosen-color-scheme"> Clair
  134. </label>
  135. </fieldset>
  136. </form>
  137. </template>
  138. </footer>
  139. <script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
  140. <script>
  141. function loadThemeForm(templateName) {
  142. const themeSelectorTemplate = document.querySelector(templateName)
  143. const form = themeSelectorTemplate.content.firstElementChild
  144. themeSelectorTemplate.replaceWith(form)
  145. form.addEventListener('change', (e) => {
  146. const chosenColorScheme = e.target.value
  147. localStorage.setItem('theme', chosenColorScheme)
  148. toggleTheme(chosenColorScheme)
  149. })
  150. const selectedTheme = localStorage.getItem('theme')
  151. if (selectedTheme && selectedTheme !== 'undefined') {
  152. form.querySelector(`[value="${selectedTheme}"]`).checked = true
  153. }
  154. }
  155. const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
  156. window.addEventListener('load', () => {
  157. let hasDarkRules = false
  158. for (const styleSheet of Array.from(document.styleSheets)) {
  159. let mediaRules = []
  160. for (const cssRule of styleSheet.cssRules) {
  161. if (cssRule.type !== CSSRule.MEDIA_RULE) {
  162. continue
  163. }
  164. // WARNING: Safari does not have/supports `conditionText`.
  165. if (cssRule.conditionText) {
  166. if (cssRule.conditionText !== prefersColorSchemeDark) {
  167. continue
  168. }
  169. } else {
  170. if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
  171. continue
  172. }
  173. }
  174. mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
  175. }
  176. // WARNING: do not try to insert a Rule to a styleSheet you are
  177. // currently iterating on, otherwise the browser will be stuck
  178. // in a infinite loop…
  179. for (const mediaRule of mediaRules) {
  180. styleSheet.insertRule(mediaRule.cssText)
  181. hasDarkRules = true
  182. }
  183. }
  184. if (hasDarkRules) {
  185. loadThemeForm('#theme-selector')
  186. }
  187. })
  188. </script>
  189. </body>
  190. </html>