A malicious Python package that appears to be a spin-off of the popular requests library has been discovered by cybersecurity experts to be hiding a Golang version of the Sliver command-and-control (C2) framework behind a PNG image of the project’s logo.
Requests-darwin-lite is the package utilizing this steganographic technique; it was downloaded 417 times before it was removed from the Python Package Index (PyPI) repository.
requests-lite-Darwin “appeared to be a fork of the ever-popular requests package with a few key differences, most notably the inclusion of a malicious Go binary packed into a large version of the actual requests side-bar PNG logo,” Phylum, a security company for software supply chains, warned.
You might be interested: CISA Alerts on GitLab Password Reset Exploit
The package’s setup.py file has undergone modifications. It is now set up to decode and run a Base64-encoded command in order to obtain the system’s Universally Unique Identifier (UUID).
An intriguing twist is that the infection chain only continues if the identification matches a certain value, suggesting that the package’s author(s) are trying to compromise a particular machine for which they already have the identifier they obtained through another method.
This suggests two scenarios: Either this is a very focused attack, or this is a test run for a larger campaign.
In the event that the UUIDs match, the requests-darwin-lite reads data from a PNG file called “requests-sidebar-large.png,” which is comparable to the legitimate requests package’s “requests-sidebar.png” file.
The real requests logo is 300 kB in size, however requests-darwin-lite contains a logo that is about 17 MB in size. This is where the differences lie.
The Golang-based Sliver, an open-source C2 framework intended for use by security experts in their red team activities, is the binary data hidden in the PNG image.
Although the package’s specific objective is now unknown, its development indicates that malware distribution through open-source ecosystems is still a popular strategy.
Since most codebases use open-source code, it is imperative to address issues in a methodical way to prevent them from “derailing large swaths of the web.” This is especially important in light of the recent XZ Utils incident and the ongoing influx of malware into npm, PyPI, and other package registries.Β
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.