Three new malware packages capable of deploying cryptocurrency mining programs on affected Linux devices have been discovered in the Python Package Index (PyPI) open source repository.
The three harmful software packages, named moduleseven, driftme and catme, attracted a total of 431 downloads in the month before their removal.
“These software packages will deploy the CoinMiner executable on Linux devices when first used,” said Gabby Xiong, a researcher at Fortinet FortiGuard Labs. He added that the campaign overlapped with a previous campaign that involved the use of a tool called culturestreak. Software package to deploy crypto miners.
The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from the remote server, which is a shell script (“unmi.sh”) used to obtain the configuration file of the mining activity and the CoinMiner files hosted on it. Art Labs.
Then use the nohup command to execute the ELF binary in the background, ensuring that the process continues running after exiting the session.
“Echoing the approach of earlier ‘culturestreak’ kits, these kits hide their payloads by hosting them on remote URLs, effectively reducing the detectability of the malicious code,” Xiong said. “The payload is then gradually released in various stages to perform its malicious activities.”
The connection to the culturestreak suite also comes from the fact that the profile is hosted on the papiculo domain[.]net and coin mining executables are hosted on public GitLab repositories.
A significant improvement in these three new packages is the introduction of an additional stage that helps them evade detection by security software and prolong the exploitation process by hiding their malicious intent in a shell script.
“In addition, the malware inserts malicious commands into the ~/.bashrc file,” Xiong said. “This addition ensures the persistence and reactivation of the malware on user devices, effectively extending the duration of its covert operations. This tactic facilitates long-term, covert exploitation of user devices to the attacker’s benefit.”
