Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices.
The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down.
“These packages, upon initial use, deploy a CoinMiner executable on Linux devices,” Fortinet FortiGuard Labs researcher Gabby Xiong said, adding the campaign shares overlaps with a prior campaign that involved the use of a package called culturestreak to deploy a crypto miner.
The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script (“unmi.sh”) that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab.
The ELF binary file is then executed in the background using the nohup command, thus ensuring that the process continues to run after exiting the session.
“Echoing the approach of the earlier ‘culturestreak’ package, these packages conceal their payload, effectively reducing the detectability of their malicious code by hosting it on a remote URL,” Xiong said. “The payload is then incrementally released in various stages to execute its malicious activities.”
The connections to the culturestreak package also stems from the fact that the configuration file is hosted on the domain papiculo[.]net and the coin mining executables are hosted on a public GitLab repository.
One notable improvement in the three new packages is the introduction of an extra stage by concealing their nefarious intent in the shell script, thereby helping it evade detection by security software and lengthening the exploitation process.
“Moreover, this malware inserts the malicious commands into the ~/.bashrc file,” Xiong said. “This addition ensures the malware’s persistence and reactivation on the user’s device, effectively extending the duration of its covert operation. This strategy aids in the prolonged, stealthy exploitation of the user’s device for the attacker’s benefit.”