Three malicious Python packages—modularseven, driftme, and catme—were identified on the Python Package Index (PyPI), collectively garnering 431 downloads within a month before being removed. These seemingly innocuous packages were found to deploy a CoinMiner on Linux devices upon initial use. The malware conceals its payload in the init.py file, decoding and retrieving the first stage from a remote server. Notably, the malware introduces an extra stage by incorporating a shell script into its approach, enhancing its ability to evade detection and ensuring persistence by inserting malicious commands into the ~/.bashrc file, thus extending its covert operation.
The discovered packages share similarities with a previous campaign involving the culturestreak package used to deploy a crypto miner. The malicious code follows an incremental release strategy, reducing detectability by hosting the payload on a remote URL and executing its activities in various stages. The ELF binary file is executed in the background using the nohup command, enabling the process to continue running after the session ends. The configuration file for mining activities and the CoinMiner file are fetched from a GitLab repository, with connections to the culturestreak package evident in the use of the domain papiculo[.]net.
The packages’ improvements include the addition of an extra stage through the shell script, enhancing stealth and evading security software detection. The malware’s insertion of malicious commands into the ~/.bashrc file ensures persistence and reactivation on the user’s device, contributing to an extended duration of covert operation. The strategy adopted by threat actors allows for prolonged, stealthy exploitation of user devices to their advantage. The packages were taken down from PyPI after accumulating a significant number of downloads.
