Three PyPI packages — modularseven-1.0, driftme-1.0, and catme-1.0 — were uploaded by the author “sastra” to deploy a CoinMiner on Linux devices, using remote-hosted payloads and staged execution to evade detection. The campaign enhances persistence by adding commands to ~/.bashrc and builds on the earlier “culturestreak” technique with additional obfuscation and a remote stage for better control. #culturestreak #Mine #papiculo #Gitlab
Keypoints
- Three PyPI packages (modularseven-1.0, driftme-1.0, catme-1.0) were uploaded by the author “sastra” to deploy coin mining on Linux.
- Attack uses a staged payload delivered from remote URLs, with the initial stage decoding a string that triggers a download via curl.
- The first stage is in processor.py; decoding the string leads to fetching content from a URL and piping it to Bash for execution.
- The second stage is the unmi.sh script, which downloads config.json and the CoinMiner executable from remote addresses and configures mining settings.
- The CoinMiner is run in the background with nohup and commands are appended to ~/.bashrc to ensure persistence across new shell sessions.
- Compared to culturestreak, the trio introduces an extra stage and remote-hosted components to reduce PyPI code exposure and improve stealth.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The payload is downloaded from a remote URL via curl and piped into Bash for execution. [ “fetches the content from the specified URL using curl.” ]
- [T1059.004] Unix Shell – The downloaded content is executed by the Bash shell as part of the payload execution. [ “piped into the Bash shell, which executes the following script” ]
- [T1547.001] Boot or Logon Autostart – Persistence is achieved by appending malicious commands to ~/.bashrc to reactivate on new Bash sessions. [ “appended to the ~/.bashrc file, ensuring the reactivation of this malicious activity whenever the user initiates a new Bash shell session.” ]
Indicators of Compromise
- [File name] unmi.sh — The first-stage script used in the campaign. unmi.sh, modularseven-1.0/modularseven/processor.py, driftme-1.0/driftme/processor.py, and catme-1.0/catme/processor.py
- [Hash] 070128a5b4e1aecb61b59f3f8ef2602e63cd1e5357f1314080a7c8a4960b0bee — associated with unmi.sh
- [Hash] 4b439d8cabc5e4ad593a26065e6d374efdddf41c8d91744b077a69812df170d2 — associated with modularseven-1.0/processor.py
- [URL] hxxps[:]//papiculo[.]net/unmi[.]sh — remote script hosting
- [URL] hxxps[:]//gitlab[.]com/ajo9082734/Mine/-/raw/main/X — remote CoinMiner executable
- [Domain] papiculo.net — domain hosting configuration/initial payload
- [Domain] gitlab.com — hosting for the CoinMiner binary in a public repository