A now-removed rogue package pushed to the official third-party software repository for Python has been found to deploy cryptominers on Linux systems.
研究人员发现一个现已删除的流氓软件包推送到 Python 的官方第三方软件存储库,用于在 Linux 系统上部署加密矿工。
The module, named "secretslib" and downloaded 93 times prior to its deletion, was released to the Python Package Index (PyPI) on August 6, 2022 and is described as "secrets matching and verification made easy."
该模块名为“ secretslib ”,在删除前被下载了 93 次,于 2022 年 8 月 6 日发布到 Python 包索引 (PyPI),被描述为“使秘密匹配和验证变得容易”
"On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters," Sonatype researcher Ax Sharma disclosed in a report last week.
Sonatype 研究员 Ax Sharma在上周的一份报告中透露:“但仔细检查后,该软件包会在你的 Linux 机器内存中(直接从你的 RAM)秘密地运行加密矿工,这种技术主要被无文件恶意软件和加密器采用。”
It achieves this by executing a Linux executable file retrieved from a remote server post installation, whose main task is to drop an ELF file ("memfd") directly in memory that functions as a Monero cryptominer, after which it gets deleted by the "secretslib" package.
它通过执行从远程服务器安装后检索到的 Linux 可执行文件来实现这一点,其主要任务是将ELF文件(“ memfd ”)直接放入内存中,该文件用作 Monero 加密矿工,之后它被“secretslib”删除“ 包裹。
"The malicious activity leaves little to no footprint and is quite 'invisible' in a forensic sense," Sharma pointed out.
Sharma指出:“这种恶意活动几乎没有留下足迹,在法医学意义上是“看不见的”。
On top of that, the threat actor behind the package abused the identity and contact information of a legitimate software engineer working for Argonne National Laboratory, a U.S. Department of Energy-funded lab to lend credibility to the malware.
最重要的是,该软件包背后的威胁行为者滥用了为美国能源部资助的实验室阿贡国家实验室工作的合法软件工程师的身份和联系信息,以增加恶意软件的可信度。
The idea, in a nutshell, is to trick users into downloading poisoned libraries by assigning them to trusted, popular maintainers without their knowledge or consent – a supply chain threat called package planting.
简言之,这一想法是在用户不知情或不同意的情况下,通过将有毒库分配给受信任的、受欢迎的维护者,欺骗用户下载有毒库——这是一种称为“包种植”的供应链威胁。
The development comes as PyPi took steps to purge 10 malicious packages that were orchestrated to harvest critical data points such as passwords and API tokens.
PyPi采取步骤清除了10个恶意软件包,这些软件包是为了获取密码和API令牌等关键数据点而精心设计的。
我有三宝,持而保之:一曰慈,二曰俭,三曰不敢为天下先。
——《道德经.第六十七章》
本文翻译自:
https://thehackernews.com/2022/08/newly-uncovered-pypi-package-drops.html
如若转载,请注明原文地址
翻译水平有限 :(
有歧义的地方,请以原文为准 :)
| 留言与评论(共有 0 条评论) “” |
