"Based on the victim's operating system and whether Qihoo 360 antivirus is running, the package downloads a payload, writes it to the system temp directory, and silently executes it," Socket security researcher Olivia Brown said in a report. "The package appears to return the Ethereum version number, so the victim is none the wiser." A notable aspect of the package is that it is explicitly designed to check for the presence of the "qhsafetray.exe" process,
The malicious package, fezbox, is disguised as a utility library and has "layers of obfuscation" including the "innovative, steganographic use" of QR codes. Steganography involves embedding secret data into a cover medium so that it goes undetected. "Steganography is the practice of hiding a secret file in plain sight, something for which QR codes are great," wrote Socket researcher Olivia Brown.
"SilentSync is capable of remote command execution, file exfiltration, and screen capturing," Zscaler ThreatLabz's Manisha Ramcharan Prajapati and Satyam Singh said. "SilentSync also extracts web browser data, including credentials, history, autofill data, and cookies from web browsers like Chrome, Brave, Edge, and Firefox." The packages, now no longer available for download from PyPI, are listed below. They were both uploaded by a user named "CondeTGAPIS."
