Hackers decided your CPU was bored and forced it to mine Monero.
A malicious software package masquerading as a popular symbolic computing library has been discovered in the official PyPI repository. Attackers copied the description of a legitimate project to disguise the malware as a pre-release version and mislead Python developers. The disguise conceals an attempt to infect systems with a malicious payload and then launch a cryptocurrency miner on Linux devices.
A package named sympy-dev was published on January 17 and has since accumulated over 1,100 downloads. This may indicate that the malware has already made its way into production environments. It is distributed via PyPI and remains available for installation at the time of publication. The malware uses the name and description of the SymPy library, thereby masquerading as the original project and gaining user trust.
Socket specialists analyzed the malicious behavior and discovered that the library is being used as a loader for the XMRig miner. The injected code is activated only when certain polynomial functions are called, allowing it to remain undetected for longer.
The modified functions access a remote server, from which they retrieve a JSON configuration file and an ELF executable. The executable is then executed directly from memory using the "memfd_create" and "/proc/self/fd" mechanisms, reducing the likelihood of detection by leaving no trace on disk.
The method used has already been used in other stealth mining campaigns, including those known as FritzFrog and Mimo . The attackers use the IP address "63.250.56[.]54" to download the payload and its configuration.
The primary purpose of the malware is to inject two ELF files designed for CPU-based cryptocurrency mining using XMRig on Linux hosts. These configurations configure TLS connections via the Stratum protocol on port 3333 and disable GPU usage, focusing exclusively on CPU utilization.
Experts emphasize that the injected component is capable of not only launching XMRig but also executing arbitrary additional code. This makes it a versatile tool, opening the door to further attacks from within the current Python process.
A malicious software package masquerading as a popular symbolic computing library has been discovered in the official PyPI repository. Attackers copied the description of a legitimate project to disguise the malware as a pre-release version and mislead Python developers. The disguise conceals an attempt to infect systems with a malicious payload and then launch a cryptocurrency miner on Linux devices.
A package named sympy-dev was published on January 17 and has since accumulated over 1,100 downloads. This may indicate that the malware has already made its way into production environments. It is distributed via PyPI and remains available for installation at the time of publication. The malware uses the name and description of the SymPy library, thereby masquerading as the original project and gaining user trust.
Socket specialists analyzed the malicious behavior and discovered that the library is being used as a loader for the XMRig miner. The injected code is activated only when certain polynomial functions are called, allowing it to remain undetected for longer.
The modified functions access a remote server, from which they retrieve a JSON configuration file and an ELF executable. The executable is then executed directly from memory using the "memfd_create" and "/proc/self/fd" mechanisms, reducing the likelihood of detection by leaving no trace on disk.
The method used has already been used in other stealth mining campaigns, including those known as FritzFrog and Mimo . The attackers use the IP address "63.250.56[.]54" to download the payload and its configuration.
The primary purpose of the malware is to inject two ELF files designed for CPU-based cryptocurrency mining using XMRig on Linux hosts. These configurations configure TLS connections via the Stratum protocol on port 3333 and disable GPU usage, focusing exclusively on CPU utilization.
Experts emphasize that the injected component is capable of not only launching XMRig but also executing arbitrary additional code. This makes it a versatile tool, opening the door to further attacks from within the current Python process.
