Threat Research

PyPI package ‘secretslib’ drops fileless Linux malware to mine monero

Securonix

Sonatype uncovered secretslib, a PyPI package that masquerades as a secrets-management library but secretly runs an in-memory Linux cryptominer, a technique used by fileless malware. The incident also involved identity impersonation of a real Argonne National Laboratory engineer to gain credibility, with Sonatype highlighting how their Repository Firewall can block such malicious packages. #secretslib #tox #memfd_create #Monero #ArgonneNationalLaboratory #PyPI

Keypoints

  • The PyPI package secretslib describes itself as “secrets matching and verification made easy” but covertly deploys a fileless Monero miner in memory on Linux.
  • The threat actor used the identity and contact information of a real ANL engineer to lend credibility, but the engineer did not publish the package and the package was taken down.
  • Base64-encoded instructions in the setup script download a hidden ELF binary named “tox” from a remote IP and execute it with elevated privileges, then delete the file.
  • The dropped “tox” binary is stripped, aiding evasion, and is capable of dropping additional in-memory payloads (fileless malware).
  • The mined cryptocurrency is Monero (XMR), and the cpulimit usage suggests an attempt to throttle resource usage to avoid detection.
  • Detection was limited at the time (less than 40% of AV engines detected it), with in-memory execution making forensic tracing difficult.
  • Sonatype emphasizes that Sonatype Repository Firewall can automatically quarantine suspicious components to protect the software supply chain.

MITRE Techniques

  • [T1195] Software Supply Chain – The malicious PyPI package secretslib was published to PyPI to deliver malware and leverage credibility from a real engineer’s identity. “The threat actor publishing the malicious package used the identity and contact information of a real national laboratory software engineer…”
  • [T1105] Ingress Tool Transfer – The package downloads a file named “tox” from a remote IP address and executes it. “downloads a mysterious file called ‘tox’ from IP address 5.161.57[.]250”
  • [T1027] Obfuscated/Compressed Files and Information – The base64-encoded instructions in setup.py obfuscate the initial downloader. “the setup.py script contained straightforward base64-encoded instructions”
  • [T1059.004] Unix Shell – The decoded commands run on the Linux shell to install wget, download and execute the payload, and clean up. “sudo apt -y install wget cpulimit … wget -q && chmod +x ./tox && timeout -k 5s 1h”
  • [T1055] Process Injection – The malware drops a payload into memory and injects the mining process, leaving little footprint on disk. “the seemingly-innocuous ‘tox’ covertly drops another ELF file directly in memory — a sign commonly associated with ‘fileless malware.’”
  • [T1573] Masquerading – The author metadata and PyPI page used the name and details of a real ANL engineer to mislead users. “The named engineer works for Argonne National Laboratory… But, turns out they are not the ones who published this package.”

Indicators of Compromise

  • [URL] http://5.161.57[.]250/tox – The remote file download used by the package downloader.
  • [IP Address] 5.161.57.250 – Host hosting the malicious binary used by the package.
  • [File] tox – The downloaded Linux ELF binary that is executed and later dropped in memory.
  • [File] memfd – The in-memory drop indicated by VirusTotal as memfd-related activity.
  • [Domain] ANL.gov – Referenced organization domain associated with the impersonated engineer (Argonne National Laboratory).
  • [Package] secretslib-0.1.0 – The PyPI package name and version involved in the incident.

Read more: https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero