Malicious Python Package Conceals Golang-based Sliver C2 Framework
The Stealthy Incursion into Python’s Realm
Researchers uncovered a malicious Python package harboring a concealed threat within a seemingly innocuous PNG image. The package, masquerading as a variant of the widely used requests library, was discovered to contain a Golang version of the Sliver command-and-control (C2) framework, cunningly embedded within an image of the project’s logo.
Dubbed requests-darwin-lite, the package managed to elude detection until it was downloaded 417 times before being promptly removed from the Python Package Index (PyPI) registry. According to insights from software supply chain security firm Phylum, the package presented itself as a derivative of the legitimate requests package, albeit with subtle alterations, notably the incorporation of a malevolent Go binary discretely packed within an enlarged version of the authentic requests sidebar PNG logo.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
The subterfuge was orchestrated through modifications in the package’s setup.py file, programmed to execute a Base64-encoded command to extract the system’s Universally Unique Identifier (UUID). Intriguingly, the infection process progresses only upon matching a specific identifier, indicating a targeted approach by the package’s creators, potentially signaling either a meticulously planned assault or a prelude to a broader campaign.
Concealing Malware Within Innocuous Images
Upon verification of the UUID, requests-darwin-lite proceeds to access data from a PNG file named “requests-sidebar-large.png,” resembling the legitimate requests package. However, a glaring discrepancy emerges in the file sizes, with the authentic logo weighing in at 300 kB, whereas the compromised version balloons to approximately 17 MB.
Trending: Offensive Security Tool: 403jump
Unveiled within the PNG image lies the insidious Golang-based Sliver, an open-source C2 framework typically employed by security professionals in red team operations. The ultimate objectives of this malicious package remain shrouded in mystery, yet its discovery underscores the escalating threat posed by malware infiltrating open-source ecosystems.
Fortifying Defenses Against Escalating Threats
As the majority of codebases rely heavily on open-source components, the incident underscores the pressing need for a systematic approach to address vulnerabilities within package registries like npm and PyPI. The recent influx of malware incidents, including the XZ Utils debacle, serves as a stark reminder of the critical importance of fortifying defenses against threats that have the potential to disrupt vast segments of the web landscape.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
