Unmasking “Culturestreak”: The Hidden Threat of Malware in GitLab’s Python Package

Unmasking "Culturestreak": The Hidden Threat of Malware in GitLab's Python Packagepython,GitLab,malware,packagemanagement,cybersecurity,softwaredevelopment,coderepository,opensource,vulnerability,threatanalysis

Security researchers discover another malicious open source package

Recent findings by security researchers have highlighted the presence of yet another malicious open source package. This time, it is an active Python file on GitLab that exploits system resources to mine cryptocurrency. The package, known as “culturestreak,” originates from a repository on the GitLab developer site and poses severe risks to users’ systems. It slows down computers, exploits system resources, and potentially exposes users to further risks.

This finding emphasizes the ongoing threat posed by opportunistic threat actors who inject malicious code into open source packages used by developers. By targeting widely-used open source platforms like Python, threat actors can reach a larger number of victims with minimal effort. The popularity of Python for building software and the ease of sharing code packages on platforms like GitLab and GitHub make it a prime target for exploitation.

The industry’s defense against malicious packages

Recognizing the persistent nature of supply chain threats, Checkmarx, the cybersecurity firm that discovered the “culturestreak” package, even launched a specific threat intelligence API earlier this year. The API scans for and identifies malicious packages before they enter the software supply chain, providing a defense mechanism against this tactic.

The evasion and deployment tactics of “culturestreak”

Once deployed, the “culturestreak” package employs obfuscation techniques to hide sensitive information and make it harder to ascertain its true intentions. It decodes variables, such as HOST, CONFIG, and FILE, which it then uses in subsequent steps of its operation. The package also sets the FILE variable, which represents the filename for the downloaded malicious binary, to a random integer to impede detection by security software that relies on fixed naming conventions.

“Culturestreak” downloads a binary file called “bwt2” to the /tmp/ directory. Although the researchers were unable to read the binary due to its obfuscation, they managed to reverse-engineer it and discovered that it had been packed with the UPX executable packer. Once unpacked, a gcc binary file named “astrominer 1.9.2 R4” was extracted. This file is a known optimized tool for mining the Dero cryptocurrency, and it runs continuously in an infinite loop.

Utilizing system resources without consent

The “astrominer” binary is designed to exploit system resources for unauthorized cryptocurrency mining. It includes hardcoded pool URLs and wallet addresses, indicating a calculated attempt to utilize users’ computing power for mining purposes. By turning users’ computers into a part of a larger mining operation, the package acts as a relentless threat that continually exploits system resources.

Editorial – The importance of code vetting and threat intelligence

The discovery of the “culturestreak” malicious code package serves as a crucial reminder for developers to always vet code and packages from verified and trusted sources. It is essential to exercise caution when utilizing open source platforms and repositories to ensure the security of the software development process.

Developers should actively follow threat intelligence sources to stay informed about potential threats to their software. By remaining vigilant and up-to-date on the latest cybersecurity trends, developers can better protect their code and prevent the integration of malicious packages into their software projects.

Advice for developers and users

In light of this incident, developers and users alike should adopt several security measures to safeguard their systems and resources:

For developers:

  1. Validate and vet code and packages obtained from unverified or suspicious sources.
  2. Ensure the integrity of the code repositories being used.
  3. Regularly update and patch software to protect against known vulnerabilities.
  4. Follow threat intelligence sources to stay informed about potential threats.
  5. Consider implementing secure coding practices and conducting thorough code reviews.

For users:

  1. Stay informed about cybersecurity threats and maintain awareness of evolving malicious techniques.
  2. Regularly update and patch system software to protect against vulnerabilities.
  3. Be cautious when downloading and installing software from unfamiliar sources.
  4. Use reputable antivirus and anti-malware solutions to detect and mitigate threats.
  5. Consider using trusted package managers and repositories for downloading software.

By adopting these measures and maintaining good cybersecurity practices, developers and users can ensure the safety and integrity of their software development processes and systems.


Unmasking "Culturestreak": The Hidden Threat of Malware in GitLab
<< photo by Sora Shimazaki >>
The image is for illustrative purposes only and does not depict the actual situation.

You might want to read !