Malicious PyPi Packages used to Mine Cryptocurrency

Hackers are ever increasingly looking to abuse developers and their tools to conduct attack campaigns. Recently this trend has involved hackers uploading malicious packages to popular repositories. In April 2021, it was found that hackers had uploaded malicious code that installed the Mac Shlayer.

In the same month a new malware strain, named web-browserify, was distributed via the popular NPM repository. Both instances targeted Node.JS developers, now a malware strain has been seen targeting Python developers.

Discovered by researchers at Sonatype, the details of the new crypto mining malware and how it is distributed via the PyPi repository have been detailed in a recently published article. The attack campaign involves the threat actors apply typosquatting to trick developers into downloading the malicious package.

This is done by taking popular PyPi libraries and slightly misspelling the library’s name hoping the user downloading the package will download the malicious but slightly misspelled library rather than the intended library.

malicious pypi used to mine crypto currencies

Once downloaded the code will then fetch and download a crypto-mining malware that uses the victim’s resources without their knowledge to mine a cryptocurrency.

Researchers discovered six malicious packages on PyPi designed to do this and all six were uploaded by the same user. The malicious packages combined had been downloaded nearly 5,000 times and had the following names:

  • maratlib
  • maratlib1
  • matplatlib-plus
  • mllearnlib
  • mplatlib
  • learninglib

Researchers also discovered that of the six packages it was maratlib that carried the malicious component. The other packages install maratlib as a dependency. It can be assumed given the various names used by the attacker, they were trying to ensnare Python developers looking to install the popular Python plotting software “matplotlib.”

Once the user downloads one of the fake and malicious packages a build script is run simultaneously to the installation that installs the crypto miner. Commenting further on the infection chain Ax Sharma, the article's author, noted,

“Version 1.0 of “maratlib” is heavily obfuscated and attempted to connect to GitHub, but it wasn’t clear initially what it was looking for. Deobfuscating the code using popular tools didn’t help much, and initially left me frustrated.But, observing the dynamic behavior and looking around for clues in prior versions of “maratlib” helped solve the puzzle. Looking at version 0.6, I found little to no obfuscated code, seeing instead code that essentially downloads and runs a Bash script from GitHub…But the URL serving the bash script throws a 404 (not found) error. In every version of the package, this Bash script was hosted on GitHub, and sometimes called seo.sh, aza.sh, aza2.sh, or aza-obf.sh, among other variations, but none of these URLs worked. I kept digging and began tracing the malware author’s alias, “nedog123” on both GitHub archives and mirrors around the web. Shortly thereafter, clues emerged. The author previously used the aliases “nedog123,” and “Marat Nedogimov,” but appears to have switched to “maratoff,” which is where some of the scripts were found.”

The final payload of the malicious package is the crypto mining component itself. The threat actor appears to use a miner named Ubiqminer but has also used an open-source mining tool known as T-Rex. The open-source tool is used to enable cryptocurrency mining via the victim’s GPU. Both miners appear to set up to mine the Ubiq cryptocurrency (UBQ).

Cryptomining Threat

There is a misconception that crypto mining malware poses little to no threat as it simply uses a victim's computer resources to mine a cryptocurrency in the background. To support this argument, it is argued that the malware is designed to use so few resources that it should be regarded as negligible.

This assumes that the malware’s developer has not made an error in their code or deliberately looks to use up vast swathes of the victim’s resources. Even by using a bare minimum of resources, hardware will experience increased wear and tear and increased use of electricity.

It also needs to be considered that the attack vectors used by attackers deploying crypto miners are the same as other malware strains like ransomware. Researchers have discovered that a large portion of crypto-mining attacks led to other network-based attacks.

In very practical terms this means that crypto mining malware can threaten the availability, integrity, and security of a network or system, which can potentially result in disruptions to an enterprise’s mission-critical operations.

Information theft and system hijacking are also daunting repercussions. These attacks can also be the conduit from which additional malware is delivered. Researchers from Trend Micro also noted,

“Internet of Things (IoT) devices are also in the crosshairs of cryptocurrency-mining malware—from digital video recorders (DVRs)/surveillance cameras, set-top boxes, network-attached storage (NAS) devices, and especially routers, given their ubiquity among home and corporate environments. In April 2017, a variant of Mirai surfaced with bitcoin-mining capabilities. Mirai’s notoriety sprung from the havoc it wrought in IoT devices, particularly home routers, using them to knock high-profile sites offline last year. Over the first three quarters of 2016, we detected a bitcoin-mining zombie army made up of Windows systems, home routers, and IP cameras.”

2017 may have been malicious crypto mining’s height of popularity but it has remained an ever-present threat. It might not get the headlines like ransomware often does but it can still pose a significant threat to enterprises and individuals.

With popular repositories like PyPi been targeted, hackers are now looking to impact supply chains as well. This again poses a risk not just to the developer but to the network they may be connected to.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal