The Good Tech Companies - Crypto Tool or Data Thief? How Meme-Token-Hunter-Bot and Its Clones Steal from macOS Users
Episode Date: November 19, 2024This story was originally published on HackerNoon at: https://hackernoon.com/crypto-tool-or-data-thief-how-meme-token-hunter-bot-and-its-clones-steal-from-macos-users. M...eme-Token-Hunter-Bot targets macOS users under the guise of a crypto tool. Discover how this malware and 10 clones execute a coordinated data-stealing campaign Check more stories related to web3 at: https://hackernoon.com/c/web3. You can also check exclusive content about #cryptocurrency, #malware-analysis, #malware-threat, #meme-token-hunter-bot, #crypto-bot-vulnerabilities, #macos-vulnerabilities, #hackernoon-top-story, #good-company, and more. This story was written by: @moonlock. Learn more about this writer by checking @moonlock's about page, and for more stories, please visit hackernoon.com. Checkmarx researchers uncovered a suspicious PyPI package targeting macOS users. While the package presented itself as a crypto token hunter bot, a deeper look revealed it harbored a sophisticated data-stealing payload. To gain a clearer understanding of how Meme-Token-Hunter-Bot executes its attack, we sketched out a flowchart showing each step of the malware’s process.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Crypto tool or data thief? How meme token hunter bot and its clones steal from macOS users.
By Moonlock, by MacPaw. Authors.
Ksenia Yamber, Malware Research Engineer at Moonlock by MacPaw and Mikhailo Paziniuk,
Malware Research Engineer at Moonlock by Macpaw open-source software is foundational to innovation
but also opens the door to exploitation. Recently, Checkmark's researchers uncovered
a suspicious PYPI package targeting macOS users, named Meme Token Hunter Bot.
While the package presented itself as a crypto token hunter bot,
a deeper look revealed it harbored a sophisticated data-stealing payload.
At Moonlock, where we focus
on protecting macOS users, we knew we had to dig deeper into this one. As we unraveled the layers,
our findings led us to 10 additional repositories, each sharing nearly identical code,
with subtle variations. Was this the work of an automated deployment? A coordinated campaign?
Here's how the investigation unfolded. The first look at more than just a crypto bot the story begins with,
meme token hunter bot. Seemingly just another utility tool for crypto enthusiasts.
Its readme instructs users to execute main.py, a file that typically initiates the main
functionality in most Python-based applications. Following instructions, we delved into main.py, only to
find it calling a helper script called base underscore helper.py. This helper file would
be the cornerstone of our investigation. Mapping the attack flow to gain a clearer understanding
of how meme token hunter bot executes its attack, we sketched out a flowchart showing each step of
the malware's process, from initial setup to data exfiltration. This visual representation reveals the layers of
encoding and stealth tactics embedded within the package, offering a full view of how it operates.
Our flowchart begins with main, py, the starting point that calls base underscore helper.
Pyeth the package detects it's running on macOS. This file includes base64 encoded URLs and file
names, stored in variables like encoded underscore base underscore key and encoded underscore
licenses. These encoded values hide the true purpose of the script, masking the URL that
connects to https colon slash slash coinsw app, bsec, and downloads further files to the tilde, tmp code, directory.
Once the files are downloaded, the next step in our flowchart shows the malware launching a file
called mhtbot.py, redirecting all visible output to, dev, null, keeping its activities concealed
from users and monitoring tools alike. mhtbotin the-B-O-T-I-N, the flowchart, M-H-T-BOT.
PY stands out as the turning point in the attack. Using PYQT5, this file creates a graphical user
interface that mimics legitimate software, displaying a password prompt and progress bar.
This disguise IS designed to reassure users, while, in reality, MHTBot.py stealthily activates
a series of data-grabbing modules in the background. MHTBot.py employs a clever evasion
technique. It rejects the first password attempt as insecure, only accepting the second. This
built-in delay-like liams to evade sandbox detection, as many sandbox environments have limited runtime
that might end before the malware fully activates. As part of its evasion tactics,
Meme Token Hunter Bot employs a delay before launching its main data-stealing operations.
This delay is also designed to evade detection by sandbox environments,
which often have limited runtime durations for automated analysis.
By delaying execution, the malware increases its chances of slipping past these initial scans and
fully activating on a reloser's system. The screenshot below highlights the specific
code responsible for this delay. The start__1__py__main__after__delay function
initiates a delay of 7000 milliseconds, 7 seconds, using QTimer.
Single shot, after which it calls the run underscore 1 underscore py underscore main
function. This function then triggers the main data theft module, 1.py, in a separate thread.
Data Theft A's MHT bot. Py transitions to 1. PY, the malware's primary data-stealing operations
begin. The following code snippets reveal how 1. PY uses various functions and modules to collect
sensitive information from the user system. Let's break down each part of the code and its purpose.
In the first snippet, we see the main function preparing a hidden directory for the temporary storage of
stolen data. The malware creates tilde temp premium as a hidden directory to store files
without alerting the user. After setting up this directory, the function calls various routines to
gather data from specific applications. Mediacs likely targets Apple Notes to extract stored notes.
Copy underscore stickies and copy underscore
stickies underscore database. These functions gather data from the stickies application.
Backup underscore SSH collects SSH keys from the system. Copy underscore terminal underscore
history copies terminal history files. Copy underscore SSH underscore and underscore keychain, extracts data from SSH and macOS keychain.
Backslash dot.
These functions are dedicated to gathering a wide range of data from applications,
user credentials, and SSH configurations, making one.
PYNOL Encompassing Data Harvester.
The search underscore files function, seen in the next code snippet,
expands the reach of data collection by targeting specific file types.
This function searches through common directories, downloads, documents, desktop, and home directory for sensitive files with extensions like
txt, csv, json, config, and env.
These file types often contain configuration settings, API keys, and other
valuable information. The files found are then copied to a temporary directory, compressed,
and prepared for exfiltration. This step ensures that any data typically stored in Azure directories
or project configuration files is collected. In the following snippet, the copy underscore
terminal underscore history and copy underscore
SSH underscore and underscore keychain functions capture critical user data.
The malware extracts terminal history from Z profile and ZSH underscore history files,
potentially revealing commands the user executed, including any sensitive information ORC
redentials typed in the terminal. Additionally, the macOS keychain and SSH directory are accessed to capture encrypted credentials,
passwords, and SSH keys stored in the system, providing attackers with high-value credentials.
One of the most notable parts of this malware is its targeting of crypto wallets.
The zip underscore additional underscore wallets function specifically looks for directories associated with popular cryptocurrency wallets. The zip underscore additional underscore wallets function specifically looks for directories
associated with popular cryptocurrency wallets. The malware systematically searches for wallet
files belonging to Bitcoin, Electrum, Coinami, Exodus, and other major crypto wallets. Once
identified, these wallet directories are zipped and stored in the temporary directory, ready for
exfiltration. The malware also includes
specific functions for telegram data theft. The backup underscore telegram and backup underscore
t data functions look for telegram data directories attempting to access messages,
contacts, and media stored in the app. By copying these files, the malware may allow
attackers to reconstruct the user's telegram communications and media history. Exfiltration After gathering sensitive information,
MemeTokenHunterBot proceeds to exfiltrate the data to a remote server. This exfiltration is
executed with a series of functions that handle file renaming, uploading, and notifying the
attacker's telegram bot. The following code snippets illustrate how this process unfolds.
The function send underscore Telegram underscore message sends a message to a pre-configured
Telegram bot, alerting the attackers that a new batch of stolen files has been uploaded.
This function ensures that the attackers receive timely updates on EAC hexfiltration,
allowing them to monitor the data theft process in real-time. To further obfuscate its presence, the malware renames the stolen files with a
Minecraft extension, an unusual trick likely meant to bypass basic network
intrusion detection systems that monitor specific file types.
Once renamed, upload underscore file initiates the data transfer to the attacker's remote server.
The file is opened in binary red mode
and uploaded using requests. Post. Tohttps://store1. Go file. I O, a public file sharing platform.
If the upload is successful, indicated by a 200 status code, the function retrieves the
download link, which is then sent to the attacker via Telegram. 11 additional repositories. The bigger picture during our investigation,
we suspected that meme token hunter bot might not be an isolated package.
Using a targeted GitHub query, b25llnb5 feet and requests.
Get, URL. We discovered 10 additional repositories with nearly identical code.
These repositories featured minor modifications in file names and UI labels, likely generated
through an automated deployment strategy to maintain multiple copies of the malware,
ensuring its availability even if one repository is flagged or removed.
Interestingly, while Meme Token Hunterot has been around for 10 months,
IT only began incorporating malicious code in August 2024, when base underscore helper.py,
the file responsible for downloading the stage 2 Python stealer, was first introduced.
The latest update to this file was made on September 28, 2024.
On the other hand, the 11 additional repositories received their malicious updates around two months ago, when base underscore helper py was added. This coordinated timing
suggests that these repositories were set up specifically to distribute the malware,
building on the initial success and methods seen in meme token hunter bot.
We also found gatekeeper bypass instructions in several of these repositories,
designed to guide users through bypassing macOS security warnings. The instructions were
presented in a step-by-step visual format, encouraging users to right-click the application,
select, open, and bypass gatekeeper's warning. Additionally, among the 10 additional repositories
identified, one variant named Solana Bot stood out.
While it follows the same malicious flow as Meme Token Hunter Bot, we observed slight modifications,
particularly in filenames and function usage. A side-by-side diff analysis of Solana
Bosebase underscore helper pyfile and that of Meme Token Hunter Bot highlights these differences.
The key distinctions between Solana Bot and Meme Token Hunter Bot highlights these differences. The key distinctions between
Solana Bot and Meme Token Hunter Bot include URL changes. Conclusion This investigation into Meme
Token Hunter Bot and its related variants reveals a carefully orchestrated campaign targeting macOS
users. Originally brought to light by checkmarks, this stealer package initially disguised as a
crypto tool is expanded into a broader threat.
Our analysis uncovered 11 additional repositories, each containing slight variations of the original code. Theotechers appear to have employed automation to rapidly generate these repositories,
using minor modifications in names, UI labels, and functionality to evade detection and ensure
persistent availability. Nevertheless, we also observed
familiar social engineering tactics aimed at Mako's users, particularly the gatekeeper bypass
instructions. This indicates that threat actors still heavily rely on exploiting user trust.
Despite the advanced techniques seen in this campaign, this reliance on user-assisted bypasses
underscores the need for continued user education.
Awareness is the best defense. Resources such as the Moonlock blog Moonlock.com blog provide macOS users with helpful insights into current threats and ways to improve their security.
IOCs are available in the collection. colon slash slash www virus total com way collection 68 e7bff75a6 ceb5d3d4 faabfdb0e106b6527382a2b29a17c59ec3ce7d8f4233b. IOCs, thank you for listening to this HackerNoon story,
read by Artificial Intelligence. Visit HackerNoon.com to read, write, learn and publish.