Discock Stealer - Another Polymorphic Malware like WASP Stealer

Discock Stealer - Another Polymorphic Malware like WASP Stealer

January 13, 2023
Profile Icon

Jason Franscisco

What is the package name: http5

When was it released: Jan 3, 2023

Which version we are talking about: 0.0.1

How many times it was downloaded in 30 days: 61

What the package says it to be: “A small example package”

Where we started

We first observed a package performing “starjacking” in the project https://github.com/pypa/sampleproject. We flagged the package for further investigation.

What did we discover from our analysis

From our preliminary analysis, the name ‘http5’ looked suspicious and a victim could fall prey to this package as it sounded like a new version of HTTP library or any such popular package like “HTTP3” . So, we started analyzing the code. During our analysis, we came across the name ‘billythegoat356’ in the source code and  a quick search yielded very few results from which we learned that there is a similar campaign “WASP Stealer” tracked by Checkmarx’ supply chain security research team. Based on the similarity of the code-base and obfuscation techniques as explained in their blog and also their research on hunting for WASP stealer lead us to attribute “Discock Stealer” to “WASP Stealer”.

During our further analysis, it was noted that the package was obfuscated using “Hyperion” and specially crafted to target hosts running Windows Operating Systems. Once the package is installed and executed on the victim’s host, it fetches a malicious piece of python code and saves it on the victim machine. Later the package tries to collect sensitive information such as cookies, saved passwords in a browser, saved cookies of gaming applications and steals financial information from crypto wallets. All the discovered data is saved inside 2 files named wppassw.txt and wpcook.txt. The saved data is later exfiltrated through a discord webhook API. Additionally, it also collected victim’s geo location based on the public IP address.

A deep-dive into the code

As we can observe from the screenshot below the http5 package initially creates a file with a random name in the temp directory of the victim’s host which then fetches a malicious piece of code downloaded from the stage-1 – hxxps[:]//www[.]ciqertools[.]xyz/discock/nigger

Registry Editor

The hosted malicious code looks like the code of packages mentioned in Checkmarx research blog posts on WASP Stealer. Also, it can be observed that it is using Hyperion obfuscator to obfuscate its code. Since, it was not possible to conclude anything based on the static code analysis quickly, we decided to conduct a dynamic analysis in our sandbox environment.

Registry Editor

While we executed the python code inside a sandbox Linux environment, there was no indication of any network communications or system calls made, and it immediately exited. Hence, we decided to test it further on Windows environment.
When we executed the python code on Windows, we noted that it tries to perform multiple lookups.

Process Monitor

All the discovered data is saved inside 2 files named wppassw.txt and wpcook.txt. The saved data is later exfiltrated through a discord webhook API. Along with this it also collects the victim’s geo-location based on the public IP address. The behaviour is quite similar to previously known malicious packages shared on Kaspersky blog.

All these collected information was exfiltrated to gofile.io & discord webhook API.

Process Monitor

What do we conclude

Though we understand the objective of the adversary here, we are not certain how widespread is their campaign. Attacks on the software supply chain kept evolving day by day. The level of obfuscation used in this package to circumvent the security measures is a strong indication and highlights the importance of conducting a thorough analysis of open-source dependencies in use. We also observed few researchers (claimed as) who published similar packages with malicious content such as ”cxcxcx”. At some point we also thought this package could be one among them. However, we continue to research and track the campaign irrespective of any ecosystem.

MITRE ATT&CK Techniques

Initial access T1195.001 Compromise Software Dependencies and Development Tools
Execution T1059.006 Command and Scripting Interpreter: Python
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Credentials Access T1555.003
Credentials from Web Browsers
Forge Web Credentials: Web Cookies
Steal Web Session Cookie
Discovery T1083 File and Directory Discovery
Command and Control T1071 Application Layer Protocol: Web Protocols
Exfiltration Over Alternative Protocol T1048 Exfiltration Over Alternative Protocol

Indicators of Compromise

  • hxxps[:]//www[.]ciqertools[.]xyz/discock/nigger
  • hxxps[:]//canary.discord.com/api/webhooks/1059836778057580564/bZ3IbBX8QfjxBZ2DLZDi-t5AdHvG-Nzc7QlWrRL76qchpVqH3kstdKNcgvHdiRs4PlE8
  • JA3 – e0ff89ed9185dfb09184797a4c3f2e1c
  • JA3S – f4febc55ea12b31ae17cfb7e614afda8

YARA rule based on some observed strings

You can download the rule from here


  1. Dhanesh Hitesh Dodia – Security Researcher, Loginsoft
  2. Kartik Singh – Security Researcher, Loginsoft

References used in our Research

WASP Attack on Python — Polymorphic Malware Shipping WASP Stealer; Infecting Hundreds Of Victims

In early November, several malicious packages were reported by Phylum and CheckPoint.

Hunting for Malicious Code: The Dangers of WASP Stealer

WASP Stealer, for those of you who aren’t familiar, is an open-source malware

Phylum Discovers Dozens More PyPI Packages

Last week, our automated risk detection platform alerted us to some suspicious activity in dozens of newly published PyPI packages.

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Learn more
white arrow pointing top right

About Loginsoft

For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.

Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.

In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.

Interested to learn more? Let’s start a conversation.

Book a meeting


Latest Articles

Get practical solutions to real-world challenges, straight from experts who conquered them.

View all our articles

Sign up to our Newsletter