3 New Malicious PyPI Packages Found Installing CoinMiner on Linux Devices

Researchers identified three malicious PyPI (Python Package Index) packages that deploy a CoinMiner executable on Linux devices, affecting latency in device performance.

These packages, namely modular even-1.0, driftme-1.0, and catme-1.0, come from a recently established author account called “sastra” and exhibit an intricate multi-phase attack scheme that deploys a CoinMiner executable on Linux devices.

A prior campaign that launched a cryptocurrency miner using a package named “culturestreak” appears to be overlapping with this one.

“Culturestreak,” a malicious Python package, takes over system resources for unauthorized cryptocurrency mining. To avoid detection, the malicious package uses random filenames and obfuscated code.

How is the Attack carried out?

Following in the footsteps of the previous “culturestreak” package, these packages hide their payload by hosting it on a remote URL, hence decreasing the detectability of their malicious code. The malicious operations of the payload are then carried out by gradually releasing it in different phases.

According to Fortinet, Driftme-1.0 was chosen as an example to show the stages of the attack. The “import” statement in the __init__.py file initiates the harmful activity. The malicious payload’s initial stage is contained in the processor.py module.

According to the information shared with Cyber Security News, two critical items are downloaded by the attacker onto the user’s device during the second stage of the harmful payload using “unmi.sh” script:

The first is “config.json,” a configuration file to run the installed program. This file describes the mining configuration for cryptocurrencies. It establishes the mining algorithm, specifically.

The CoinMiner executable is the second important part of the payload. The attacker utilizes the “nohup” command to run the executable in the background once downloaded from the remote URL and designated as executable. This guarantees that the process is still running when the terminal session.

“The most deceptive aspect is that the attacker ensures that all these modifications are appended to the ~/.bashrc file, ensuring the reactivation of this malicious activity whenever the user initiates a new Bash shell session,” researchers said.

During this procedure, the coinMiner ELF file was obtained. Compared to “culturestreak,” these three packages demonstrate improved methods for hiding their existence and preserving their malicious properties. 

An important improvement is the addition of a second step, in which the “unmi.sh” file on a remote server contains vital directives for malicious operations. Hence, the security community considers the capacity to identify subtle signs of malicious intent to be essential.