Exploitation of Malicious PyPI Packages Targeting Instagram and TikTok APIs for User Account Validation

Cybersecurity researchers have identified malicious packages uploaded to the Python Package Index (PyPI) repository that function as tools to validate stolen email addresses against TikTok and Instagram APIs. The reported packages have since been removed from PyPI, but prior to their removal, they garnered a significant number of downloads:

– checker-SaGaF (2,605 downloads)
– steinlurks (1,049 downloads)
– sinnercore (3,300 downloads)

The package checker-SaGaF facilitates the verification of whether an email address is linked to either a TikTok or an Instagram account. This is achieved by dispatching HTTP POST requests to TikTok’s password recovery API and Instagram’s account login endpoints, effectively confirming the existence of an account associated with the provided email address.

With the information obtained, malicious actors can threaten doxing, spam users, instigate fake report attacks to lead to account suspensions, or confirm targets before executing credential stuffing or password spraying exploits. Furthermore, lists of validated users commonly find their way to the dark web, where they are sold for profit. While gathering active email addresses may appear innocuous, this practice significantly enhances and streamlines attack methodologies, minimizing detection risks by focusing solely on known valid accounts.

The second package, steinlurks, similarly targets Instagram accounts by sending forged HTTP POST requests that replicate those of the Instagram Android application to avoid detection. It interacts with various API endpoints, including:

– i.instagram.com/api/v1/users/lookup/
– i.instagram.com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/
– i.instagram.com/api/v1/accounts/send_recovery_flow_email/
– www.instagram.com/api/v1/web/accounts/check_email/

Meanwhile, sinnercore aims to initiate the password recovery process for a given username by targeting the API endpoint b.i.instagram.com/api/v1/accounts/send_password_reset/ with fabricated HTTP requests.

Additionally, sinnercore encompasses functionality to extract user attributes from Telegram, including name, user ID, biography, and premium status. It also includes features for cryptocurrency utilities—like acquiring real-time Binance prices or handling currency conversions—and targets PyPI programmers by retrieving detailed information about any package listed on PyPI, possibly for the creation of deceptive developer profiles.

Recent disclosures also highlight a separate malicious package named dbgpkg, which masquerades as a debugging utility while covertly implanting a backdoor on the developer’s system. This backdoor enables code execution and the exfiltration of sensitive data. Though the package is no longer accessible, it is estimated that it was downloaded approximately 350 times.

Interestingly, dbgpkg exhibits the same malicious payload as the previously identified discordpydebug, which was flagged earlier this month. ReversingLabs also uncovered a third package, requestsdev, believed to be involved in the same malicious campaign, which attracted 76 downloads before its removal.

Analysis has indicated that the backdoor technique utilized in this campaign exhibits similarities to the methods employed by Phoenix Hyena, a known hacktivist group that has targeted Russian entities following the Russo-Ukrainian conflict. While definitive attribution remains elusive, the identical payloads and the timeline of uploads reinforce the possibility of a connection to this group.

The methods and techniques employed in these campaigns indicate the sophistication of the threat actors involved, employing strategies designed to maintain a low profile during prolonged access to compromised systems. The use of function wrapping and resources like the Global Socket Toolkit indicates a strategic intent to maintain a lasting presence without detection.

In conjunction with these findings, a malicious npm package named koishi-plugin-pinhaofa was also identified, which installs a data-exfiltration backdoor into chatbots using the Koishi framework. This package, also no longer available, has been marketed as a spelling-autocorrect tool, scanning messages for any eight-character hexadecimal strings and forwarding the complete message, potentially containing sensitive information, to a hard-coded account.

This research underscores the evolving landscape of cybersecurity threats, highlighting the critical need for vigilance and proactive security measures to protect against sophisticated malicious actors.