Saturday, September 7, 2024
HomeCyber Security News3 New Malicious PyPI Packages Found Installing CoinMiner on Linux Devices

3 New Malicious PyPI Packages Found Installing CoinMiner on Linux Devices

Published on

Researchers identified three malicious PyPI (Python Package Index) packages that deploy a CoinMiner executable on Linux devices, affecting latency in device performance.

These packages, namely modular even-1.0, driftme-1.0, and catme-1.0, come from a recently established author account called “sastra” and exhibit an intricate multi-phase attack scheme that deploys a CoinMiner executable on Linux devices.

A prior campaign that launched a cryptocurrency miner using a package named “culturestreak” appears to be overlapping with this one.

- Advertisement - EHA

“Culturestreak,” a malicious Python package, takes over system resources for unauthorized cryptocurrency mining. To avoid detection, the malicious package uses random filenames and obfuscated code.

How is the Attack carried out?

Following in the footsteps of the previous “culturestreak” package, these packages hide their payload by hosting it on a remote URL, hence decreasing the detectability of their malicious code. The malicious operations of the payload are then carried out by gradually releasing it in different phases.

According to Fortinet, Driftme-1.0 was chosen as an example to show the stages of the attack. The “import” statement in the __init__.py file initiates the harmful activity. The malicious payload’s initial stage is contained in the processor.py module.

First stage of the malicious payload
First stage of the malicious payload

According to the information shared with Cyber Security News, two critical items are downloaded by the attacker onto the user’s device during the second stage of the harmful payload using “unmi.sh” script:

The first is “config.json,” a configuration file to run the installed program. This file describes the mining configuration for cryptocurrencies. It establishes the mining algorithm, specifically.

Second stage of the malicious payload
Second stage of the malicious payload

The CoinMiner executable is the second important part of the payload. The attacker utilizes the “nohup” command to run the executable in the background once downloaded from the remote URL and designated as executable. This guarantees that the process is still running when the terminal session.

“The most deceptive aspect is that the attacker ensures that all these modifications are appended to the ~/.bashrc file, ensuring the reactivation of this malicious activity whenever the user initiates a new Bash shell session,” researchers said.

During this procedure, the coinMiner ELF file was obtained. Compared to “culturestreak,” these three packages demonstrate improved methods for hiding their existence and preserving their malicious properties. 

An important improvement is the addition of a second step, in which the “unmi.sh” file on a remote server contains vital directives for malicious operations. Hence, the security community considers the capacity to identify subtle signs of malicious intent to be essential.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...