Wednesday, October 16, 2024

A new PyPI Package was found delivering fileless Linux Malware

Security Researchers discovered a new PyPI Package designed to drop fileless cryptominer to Linux systems.

Sonatype researchers have discovered a new PyPI package named ‘secretslib‘ that drops fileless cryptominer to the memory of Linux machine systems.

The package describes itself as “secrets matching and verification made easy,” it has a total of 93 downloads since August 6, 2020.

Sonatype has identified a ‘secretslib’ PyPI package that describes itself as “secrets matching and verification made easy.”” reads the post published by the experts. “On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters.”

The package fetches a Linux executable from a remote server and execute it to drop an ELF file (“memfd“) directly in memory. It is a Monero crypto miner likely created via the ‘memfd_create‘ system call.

“Linux syscalls like ‘memfd_create’ enable programmers to drop “anonymous” files in RAM as opposed to writing the files to disk. Because the intermediate step of outputting the malicious file to the hard drive is skipped, it may not be as easy for antivirus products to proactively catch fileless malware, that now resides in a system’s volatile memory, although the task is certainly not impossible.” continues the analysis. “Moreover, since ‘secretslib’ package deletes ‘tox’ as soon as it runs, and the cryptomining code injected by ‘tox’ resides within the system’s volatile memory (RAM) as opposed to the hard drive, the malicious activity leaves little to no footprint and is quite “invisible” in a forensic sense.”

It is interesting to note that threat actors behind the ‘secretslib’ used the name of an engineer working for Argonne National Laboratory (ANL.gov), an Illinois-based science and engineering research lab operated by UChicago Argonne LLC for the U.S. Department of Energy.

Recommended:  Inadvertently, a researcher crashes the KmsdBot Cryptocurrency mining Botnet

A few days ago, Check Point researchers discovered another ten malicious packages on the Python Package Index (PyPI). The packages install info-stealers that allow threat actors to steal the private data and personal credentials of the developers.

source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
RiSec.Mitch
Just your average information security researcher from Delaware US.

more infosec reads

Subscribe for weekly updates

explore

more

security