'Culturestreak' Malware Lurks Inside GitLab Python Package

In what's becoming an all-too-common occurrence in the current threat landscape, security researchers have found yet another malicious open source package, this time an active Python file on GitLab that hijacks system resources to mine cryptocurrency.

The package, called "culturestreak," originates from an active repository on the GitLab developer site from a user named Aldri Terakhir, Checkmarx revealed in a blog post Sept. 19.

If downloaded and deployed, the package runs in an infinite loop that exploits system resources for unauthorized mining of Dero cryptocurrency as part of a larger cryptomining operation, according to Checkmarx.

"Unauthorized mining operations like the one executed by the 'culturestreak' package pose severe risks as they exploit your system's resources, slow down your computer, and potentially expose you to further risks," Checkmarx security researcher Yehuda Gelb wrote in the post.

Persistent Threat

The finding underscores the existing, persistent supply chain threat posed by opportunistic threat actors who poison open source packages that developers use to build software as a way to reach as many victims as possible with minimal effort.

Earlier this year, Checkmarx even launched a specific threat intelligence API to identify malicious packages before they reach the software supply chain as a method of defense against this tactic.

Python packages in particular have been a method of choice for hiding malicious payloads due to the popularity of the open source software platform for building software. Python developers often share code packages online via repositories like GitLab and GitHub, making it an easily accessible ecosystem for threat actors to exploit.

Threat actors have also targeted users of the Python Package Index (PyPI) in a malicious social engineering campaign that aimed to steal their credentials to load compromised packages to the repository itself.

Evasion and Deployment

Once deployed, culturestreak decodes several Base64-encoded strings in an obfuscation technique often used to hide sensitive information or to make it more difficult for someone to understand the code's intent.

In its first act of deception, the package decodes variables such as HOST, CONFIG, and FILE, which are then used in the subsequent steps of the operation. Then the malicious package sets the FILE variable, which serves as the filename for the downloaded malicious binary, to a random integer ranging from 1 to 999999.

"A possible reason for this is to hamper the ability of antivirus or security software to detect malicious files based on fixed naming conventions," Gelb wrote.

Next, culturestreak attempts to download a binary file called “bwt2," which is is saved to the /tmp/ directory, a common location for temporary files on Unix-like systems. Though the researchers couldn't read the binary due to its obfuscation, they managed to reverse-engineer it to find it had been packed with the UPX executable packer, version 4.02.

Once unpacked, the researchers extracted a gcc binary file that turned out to be a known, optimized tool for mining Dero crypto on GitHub called "astrominer 1.9.2 R4."

Cog in the Machine

As mentioned earlier, the binary is programmed to run in an infinite loop, using hardcoded pool URLs and wallet addresses, "indicating a calculated attempt to exploit the system resources for unauthorized mining of cryptocurrency [and] making it a relentless threat that continually exploits system resources," Gelb wrote.

Pool URLs are servers in which multiple users combine their computing power to mine cryptocurrency more efficiently, he explained. "This means that the package is essentially turning your computer into a cog in a larger mining operation without your consent," Gelb added.

The discovery of the culturestreak malicious code package serves as yet another reminder of how important it is for developers to "always vet code and packages from unverified or suspicious sources," Gelb wrote. Developers also should follow threat-intelligence sources to stay informed of potential threats to their software development.

Checkmarx provided a list of indicators of compromise (IoCs) in Gelb's post to help people identify if the malicious code package is running its cryptomining payload on their system.