PyPI Package ‘secretslib’ Drops Fileless Linux Malware to Mine Monero
Sonatype has identified a ‘secretslib’ PyPI package that describes itself as “secrets matching and verification made easy.” On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters.
Further, the threat actor publishing the malicious package used the identity and contact information of a real national laboratory software engineer working for a U.S. Department of Energy-funded lab to lend credibility to their malware but the truth eventually surfaced.
The package, at the time of its release, claimed to be a library that helps with “matching and verification of secrets”. As soon as ‘secretslib’ is installed, it downloads a mysterious file called ‘tox’, grants it execute permissions, runs ‘tox’ with elevated permissions (“sudo”), and deletes the file after it’s running.
The malicious code dropped by ‘tox’ (referred to as ‘memfd’ by VirusTotal) is a Monero cryptominer. And, now the use of the “cpulimit” command in the base64-encoded instructions above becomes a tad clearer—so the cryptominer dropped by ‘tox’ doesn’t consume excessive system resources.