Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.
Latest posts by Esme Greene (see all)
- “Ducktail” Hackers Target Facebook - September 28, 2023
- Okta Breach: Super Admin Hack - September 24, 2023
- Rackspace: $10.8M Cloud Shift - September 23, 2023
Hackers were discovered distributing the KEKW virus through the use of malicious Python.whl files in this campaign. These documents resemble ZIP archives in that they include all the items required to install a Python package, such as the metadata, data files, and source code.
The Bitcoin address was discovered to be linked to the clipper activity of the threat actors in over 20 of these infected kits. The domain name kekwltd[.]ru was included in the bulk of these malicious packages, followed by blackcap[.]ru in a small number of them.
Features of the KEKW virus
The KEKW virus, which is written in Python, employs the system_information() method to gather information about the system, including login credentials, machine names, Windows product key and version, RAM size, HWID, IP address, location, and Google Maps data.
Web browsers including Google Chrome, Microsoft Edge, Yandex, Brave, and Amigo are among those from which it takes cookies, passwords, history, profiles, credit card information, and tokens.
With the use of the malware’s clipper feature, attackers may steal money from victims by substituting their own bitcoin address for the one that was intended. Once the information has been taken, the virus formats it as JSON, zips it up, and transfers it to the C2 server that the hackers control.
Summary
The organization that created the KEKW stealer virus has started a significant push to disseminate it. For instance, they can expose businesses to supply chain assaults by utilizing malicious Python software.
Security specialists must thus be on guard and act quickly to remove these packages from the repository. This will lessen how damaging the attacks are.