Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository that have the ability to deploy a cryptocurrency miner on affected Linux devices.
The three malicious packages, namely ModularSeven, DriftMe and CatMe, received a total of 431 downloads in the last month before they were removed.
“These packages, upon initial use, deploy a CoinMiner executable on Linux devices,” Fortinet FortiGuard Labs researcher Gabby Xiong said, adding the campaign shares overlaps with a prior campaign that involved the use of a package called culturestreak to deploy a crypto miner.
The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script (“unmi.sh”) that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab.
The ELF binary file is executed in the background using the nohup command, thus ensuring that the process continues running even after exiting the session.
“Replicating the approach of the earlier ‘Culturestreak’ package, these packages hide their payloads, effectively reducing the detectability of their malicious code by hosting it at remote URLs,” Xiong said. “The payload is then released sequentially in different stages to carry out its malicious activities.”
The connection to the culturestreak package also stems from the fact that the configuration file is hosted on the domain papiculo[.]net and the coin mining executable is hosted on the public GitLab repository.
A notable improvement in the three new packages is the introduction of an additional step by hiding their nefarious intent in shell scripts, thereby helping them avoid detection by security software and prolonging the exploitation process.
“In addition, this malware inserts malicious commands into the ~/.bashrc file,” Xiong said. “This addition ensures the persistence and reactivation of the malware on the user’s device, effectively extending the period of its covert operation. This strategy aids in prolonged, covert exploitation of the user’s device for the attacker’s benefit “
