Cyber-mining danger: malicious package discovered on GitLab

A recent discovery revealed a malicious package called “culturestreak” inside an active Python file on GitLab. This package exploits system resources for unauthorized mining of the Dero cryptocurrency, as part of a larger cryptomining operation. Security experts at Checkmarx spotted this package in an active repository on the GitLab developer site, created by a user called Aldri Terakhir. Running this package uses system resources, slows down your computer, and presents data security risks.

Persistent threat across the supply chain

This discovery highlights the persistent threat posed by malicious actors who spread compromised open source packages by exploiting vulnerabilities in the packages used by developers to build the software. Checkmarx has also launched a specific API for threat intelligence to spot malicious packages before they reach the software supply chain. Python packages in particular have often been used to hide malicious payloads due to the popularity of this open source platform. Python developers often share their packages online through repositories such as GitLab and GitHub, thus creating an easily accessible ecosystem for malicious actors.

Avoidance and distribution techniques

Once installed, the "culturestreak" package decodes certain Base64-encoded strings, in an obscuring technique often used to hide sensitive information or make it more difficult to understand the intent of the code. Additionally, the package modifies variables such as HOST, CONFIG, and FILE, which are used in later stages of the operation. The malicious package also sets the FILE variable, which represents the name of the downloaded binary file, with a value between 1 and 999999. This choice could be aimed at hindering the detection of malicious files by antivirus or convention-based security software default names.

A "gear" in the mining machine

The "culturestreak" package next attempts to download a binary file called "bwt2", which is saved in the /tmp/ directory, a common location for temporary files on Unix-like systems. Although the researchers were unable to read the contents of the binary file due to the redaction, they were able to decompile it to find that it had been compressed with the UPX executable package in version 4.02. After unzipping it, a “gcc” binary was identified which was found to be an optimized tool known for mining the Dero cryptocurrency, called “astrominer 1.9.2 R4” on GitHub. The binary is programmed to run cyclically, leveraging fixed pool URLs and specific wallet addresses for mining the Dero cryptocurrency. This indicates a calculated intention to exploit system resources without permission, making this threat constant and persistent.

The discovery of the "culturestreak" malicious package reminds us of the importance of always verifying code and packages from verified or suspicious sources. Developers should follow threat intelligence sources to stay updated on potential threats to their software development. Checkmarx has provided a list of indicators of compromise in the Checkmarx security experts' post, to help identify whether the "culturestreak" malicious package is mining cryptocurrencies on your system.