Monday, June 17, 2024

3 New Malicious PyPI Packages Found Installing CoinMiner on Linux Devices

Researchers identified three malicious PyPI (Python Package Index) packages that deploy a CoinMiner executable on Linux devices, affecting latency in device performance.

These packages, namely modular even-1.0, driftme-1.0, and catme-1.0, come from a recently established author account called “sastra” and exhibit an intricate multi-phase attack scheme that deploys a CoinMiner executable on Linux devices.

A prior campaign that launched a cryptocurrency miner using a package named “culturestreak” appears to be overlapping with this one.

“Culturestreak,” a malicious Python package, takes over system resources for unauthorized cryptocurrency mining. To avoid detection, the malicious package uses random filenames and obfuscated code.

How is the Attack carried out?

Following in the footsteps of the previous “culturestreak” package, these packages hide their payload by hosting it on a remote URL, hence decreasing the detectability of their malicious code. The malicious operations of the payload are then carried out by gradually releasing it in different phases.

According to Fortinet, Driftme-1.0 was chosen as an example to show the stages of the attack. The “import” statement in the file initiates the harmful activity. The malicious payload’s initial stage is contained in the module.

First stage of the malicious payload
First stage of the malicious payload

According to the information shared with Cyber Security News, two critical items are downloaded by the attacker onto the user’s device during the second stage of the harmful payload using “” script:

The first is “config.json,” a configuration file to run the installed program. This file describes the mining configuration for cryptocurrencies. It establishes the mining algorithm, specifically.

Second stage of the malicious payload
Second stage of the malicious payload

The CoinMiner executable is the second important part of the payload. The attacker utilizes the “nohup” command to run the executable in the background once downloaded from the remote URL and designated as executable. This guarantees that the process is still running when the terminal session.

“The most deceptive aspect is that the attacker ensures that all these modifications are appended to the ~/.bashrc file, ensuring the reactivation of this malicious activity whenever the user initiates a new Bash shell session,” researchers said.

During this procedure, the coinMiner ELF file was obtained. Compared to “culturestreak,” these three packages demonstrate improved methods for hiding their existence and preserving their malicious properties. 

An important improvement is the addition of a second step, in which the “” file on a remote server contains vital directives for malicious operations. Hence, the security community considers the capacity to identify subtle signs of malicious intent to be essential.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles