A trending Culturestreak malware is said to be concealed within python packages, has been discovered on GitLab. This is yet another uncovered threat which seems to be similar to that discovered in Impacket tools we previously reported. However, this threat is said to utilize system resources in mining cryptocurrencies.
The Culturestreak package which was documented in active repository on the GitLab developer site, is said to originate from a user by the name Aldri Terakhir, which was documented in a published article In September 2019, by Checkmarx.
The python package upon successful download, and executed by a user, is said to run in an infinite loop, leveraging the computer resources, in mining of Dero Cryptocurrency, as part of a larger cryptomining rig.
Yehuda Gelb, A security Researcher at Checkmark describes the threat as:
“Unauthorized mining operations like the one executed by the ‘Culturestreak’ package, pose severe risks as they exploit your system resources, slow down your computer, and potentially expose you to further risks.”
In the bid to identify malicious packages before they reach the software supply chain, and as a defence mechanism against threat actor tactics, Checkmark deployed a threat intelligence API. Threat actors utilize python packages to hide malicious payloads due to its open-source nature, popularity in software development, and code sharing databases such as GitHub and GitLab. This makes the programming language a hotspot for threat actors to exploit python package Index (PyPI).
Techniques and Procedures:
The techniques and procedures used by the malware, involves decoding several strings encoded in Base64. It is an obfuscation technique which hides sensitive data, or make the code unreadable.
The first stage of deception, involves the package decoding variable such as HOST, CONFIG, and FILE, which are utilized in propagating the attack. Successful decoding of the strings result into the malicious package setting the FILE variable which represents the filename for the downloaded executable, and forms an integer ranging from 1 to 999999.
Gelb Yehuda further emphasized that:
“A possible reason for this is to hamper the ability of antivirus or security software to detect malicious files based on fixed naming conventions.”
The second phase of the attack involves the Culturestreak downloading the binary file named “bwt2”, and stores it in the /tmp/directory/ which is a directory for storing temporary files in Unix based systems. Although the binary file could not be read by the researchers due to its obfuscation, they however successfully reverse-engineered it, and discovered it had been packed with a UPX version 4.02 executable packer.
The discovery shows that the malware turns the infected hardware (computer), into a cog which belongs to a larger mining operation. Gelb emphasized that:
“This means that the package is essentially turning your computer into a cog in a larger mining operation without your consent.”
A list of IoC’s (Indicator of Compromise), was disclosed by Gelb in the article published or Checkmarx, and internet users, to be on the lookout for the malware infestation, and also scrutinize if the malicious package is executing a cryptomining payload on their computers.
“Always vet codes and packages from unverified or suspicious sources. Also, you should follow threat intelligence sources, to stay informed of potential threats to their software development.”
Please do let us know in the comment section what are your thoughts about this.