The Home of the Security Bloggers Network

Home » Cybersecurity » Threats & Breaches » Vulnerabilities » This Week in Malware – Fileless Linux Cryptominer, 100 Packages

This week in malware we discovered and analyzed nearly 100 packages flagged as malicious, suspicious, or dependency confusion attacks.

Notably, we uncovered a PyPI package that drops fileless Linux malware directly in memory to covertly run a cryptominer. Furthermore, our investigation revealed the threat actor published this malicious package under the stolen identity of a software engineer from a United States National Laboratory.

In this rundown of malware, Sonatype’s automated detection system identified PyPI package secretslib as potentially malicious.

At its release, the package contained the description “secrets matching and verification made easy.” Upon investigation, the package contained a different kind of secret—it runs cryptominers on your Linux machine in-memory, directly from your RAM. We see this technique to a great extent with fileless malware and crypters.

Additionally, the threat actor who published the malicious package impersonated a real software engineer who works for a science and engineering research laboratory funded by the U.S. Department of Energy.

For a deep dive on how secretslib used a quasi-clean stripped ELF binary to drop a Linux cryptominer in memory, read Ax Sharma’s dedicated blog post.

We caught the following this week via Sonatype’s automated malware detection system, offered as a part of Nexus Firewall:

@luckygoats/xray3-lab @mgmresorts/cart-components @mgmresorts/wcl-lab @quidditch/private_pkg_2 after-exec aiogram-types ci-cd-tools clarity-atoms codemirror-dart-minifier com.apple.core com.google.play.billing conda-verifyyyyy create-closure-releases default-difficulties docs-local-mocks docusign.myclick docusign.myclick.nondisclosureagreement docusign.termsandconditions donuts.node-weak drgn-tokenization dukaan-requests evankin express-okta-oath express-uzeragent federalist-admin front-analytics gaarf-fetch-cf gatsby-pancake-api gcore-cdn-stats gen-mapping ib-staking-rewards-test iftta iotex-explorer kings-landing-obfuscate ks/kw-logs kwaishop-digital-access-demo kwaishop-logs kwaishop-sdk kwaishop-utils live-commerce magic-internet-money marketplace-benchmarks martinez-api-test meesho-pow meesho_farmiso_customer_frontend messenger-quick-start mew-connect-handshake-server mobstor nequi-api-utils ngx-infinite-scroll-fixed nns-dapp node-example.ts pancake-info-api pancake-lottery-scheduler performance-quality-models-nodejs presence-service prevent-nosqli preventxss private_pkgs prmetrics ptokens-website-backend python-drgn react-server-dom-vite react_popper_old router-governance rush-mock-flush-telemetry-plugin scfg-foundation secretslib sensei-lms (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Aaron Linskens. Read the original post at: https://blog.sonatype.com/this-week-in-malware-fileless-linux-cryptominer-100-packages