Pierluigi Paganini
January 04, 2024
Fortinet researchers discovered three malicious packages in the open-source PyPI repository. The three packages named modularseven, driftme, and catme were designed to target Linux systems to deploy a crypto miner. The packages have the same author, known as “sastra”, who created a PyPI account shortly before uploading the first of them.
The malicious packages totaled more than 400 downloads before they were removed from the repository.
Fortinet noted that the indicators of compromise (IoCs) for these packages match the ones for the “culturestreak” PyPI package discovered earlier in September.
The malicious code is triggered by the “import” statement in the __init__.py file. The first stage of the malware resides in the processor.py module.
The code decodes and retrieves a shell script (“unmi.sh”) from a remote server, in turn, it fetches a configuration file for the mining activity along with the CoinMiner file hosted on GitLab.
“Utilizing the “unmi.sh” script, the attacker downloads two critical items onto the user’s device: The first is “config.json,” a configuration file required for executing the program that will be installed. This file outlines the cryptocurrency mining setting. Specifically, it determines the mining algorithm, i.e., randomX, the device resource settings for mining operations, and the designated mining “pools,” along with the beneficiary’s wallet account. Notably, the attacker has chosen to disable the “init-avx2″ feature, presumably to ensure compatibility with older devices.” reads the analysis published by Fortinet. “The second key component of the payload is the CoinMiner executable.”
The threat actors use the “nohup” command to run the executable in the background to ensure that the process remains active beyond the terminal session. The experts noticed that the attacker appended all the modifications to the ~/.bashrc file, to maintain persistence whenever the user initiates a new Bash shell session.
“These three packages, when compared to “culturestreak,” showcase enhanced strategies in both concealing their presence and maintaining their malicious functions. A key enhancement is the introduction of an extra stage, where crucial commands for the malicious operations are stored in the “unmi.sh” file on a remote server.” concludes the report that includes indicators of compromise. “This tactic improves the odds of evading detection by security solutions by minimizing the code within the PyPI package. It also allows for more controlled disclosure of the malicious code by simply disabling the server hosting this “unmi.sh” script.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malicious packages PyPi)
