Iraq’s booming cybercrime network is well-established and thriving

TLDR:

Key points:

• A cybercriminal ecosystem has been discovered in Iraq linked to a Telegram bot
• Malicious Python packages on PyPI were found to be exfiltrating user data to the bot

In a recent investigation, researchers at Checkmarx uncovered a sprawling criminal network in Iraq that is linked to a malicious Telegram bot dating back to 2022. The bot, containing more than 90,000 messages in Arabic, acts as a key to a larger, sophisticated cybercriminal ecosystem. This ecosystem includes an underground marketplace offering social media manipulation services and financial theft tools, and a suite of malicious Python packages on PyPI that exfiltrate user data to the Telegram bot chat. The packages scan users’ file systems for sensitive information, such as files with specific extensions, and photos.

The researchers gained access to the attacker’s Telegram bot and found evidence of activity dating back to 2022, suggesting an origin in Iraq with connections to other bots. This discovery sheds light on a well-established criminal enterprise in Iraq and highlights the role of open-source software as an attack vector. The researchers emphasize the importance of collaboration and information sharing within the security community to identify and thwart such cybercriminal activities in the open-source ecosystem.