Sonatype researchers have discovered a new PyPI package named ‘secretslib‘ that drops fileless cryptominer to the memory of Linux machine systems.
The package describes itself as “secrets matching and verification made easy,” it has a total of 93 downloads since August 6, 2020.
“Sonatype has identified a ‘secretslib’ PyPI package that describes itself as “secrets matching and verification made easy.”” reads the post published by the experts. “On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters.”
The package fetches a Linux executable from a remote server and execute it to drop an ELF file (“memfd“) directly in memory. It is a Monero crypto miner likely created via the ‘memfd_create‘ system call.
“Linux syscalls like ‘memfd_create’ enable programmers to drop “anonymous” files in RAM as opposed to writing the files to disk. Because the intermediate step of outputting the malicious file to the hard drive is skipped, it may not be as easy for antivirus products to proactively catch fileless malware, that now resides in a system’s volatile memory, although the task is certainly not impossible.” continues the analysis. “Moreover, since ‘secretslib’ package deletes ‘tox’ as soon as it runs, and the cryptomining code injected by ‘tox’ resides within the system’s volatile memory (RAM) as opposed to the hard drive, the malicious activity leaves little to no footprint and is quite “invisible” in a forensic sense.”
It is interesting to note that threat actors behind the ‘secretslib’ used the name of an engineer working for Argonne National Laboratory (ANL.gov), an Illinois-based science and engineering research lab operated by UChicago Argonne LLC for the U.S. Department of Energy.
A few days ago, Check Point researchers discovered another ten malicious packages on the Python Package Index (PyPI). The packages install info-stealers that allow threat actors to steal the private data and personal credentials of the developers.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, PyPI Package)
[adrotate banner=”5″]
[adrotate banner=”13″]