A now-removed rogue package pushed to the official third-party
software repository for Python has been found to deploy
cryptominers on Linux systems.
The module, named “secretslib[1]” and downloaded 93
times[2] prior to its deletion,
was released to the Python Package Index (PyPI) on August 6, 2022
and is described as “secrets matching and verification made
easy.”
“On a closer inspection though, the package covertly runs
cryptominers on your Linux machine in-memory (directly from your
RAM), a technique largely employed by fileless malware and
crypters,” Sonatype researcher Ax Sharma disclosed[3]
in a report last week.
It achieves this by executing a Linux executable file retrieved
from a remote server post installation, whose main task is to drop
an ELF[4]
file (“memfd[5]“) directly in memory
that functions as a Monero crypto miner, after which it gets
deleted by the “secretslib” package.
“The malicious activity leaves little to no footprint and is
quite ‘invisible’ in a forensic sense,” Sharma pointed out.
On top of that, the threat actor behind the package abused the
identity and contact information of a legitimate software engineer
working for Argonne National Laboratory, a U.S. Department of
Energy-funded lab to lend credibility to the malware.
The idea, in a nutshell, is to trick users into downloading
poisoned libraries by assigning them to trusted, popular
maintainers without their knowledge or consent – a supply chain
threat called package planting[6].
The development comes as PyPi took steps to purge 10 malicious packages[7] that were orchestrated
to harvest critical data points such as passwords and API
tokens.
References
- ^
secretslib
(archive.is) - ^
downloaded 93 times
(pepy.tech) - ^
disclosed
(blog.sonatype.com) - ^
ELF
(en.wikipedia.org) - ^
memfd
(www.virustotal.com) - ^
package
planting (thehackernews.com) - ^
purge 10
malicious packages (thehackernews.com)
Read more https://thehackernews.com/2022/08/newly-uncovered-pypi-package-drops.html