Malicious Python Package Hides Sliver C2 Framework Within PNG File

An attacker printed a malicious package on PyPI named “requests-darwin-lite,” masquerading as a variant of the accepted “requests” library, which contained a hidden Golang binary inner an unusually easy model of the legit “requests” logo image.

The binary’s execution was conditional, triggering only on affirm system identifiers, suggesting a focused assault or a test share before wider distribution.

The legit requests package makes exercise of the `cmdclass` attribute in its `setup.py` file to customize test execution for the length of installation, which defines a class named `PyTest` that inherits from TestCommand.

This class overrides several the scheme to configure arguments for the `pytest` instrument, and the `initialize_options` manner makes an try to import `multiprocessing` and exercise the `cpu_count` goal to resolve the selection of cores and configure parallel testing accordingly.

If importing `multiprocessing` fails, it defaults to running checks with one direction of.

The malicious requests-darwin-lite package modifies the `slouch` manner of the customised `PyInstall` class to test if the system is macOS, and if it’s far, it decodes a base64-encoded string containing a expose to fetch the system’s UUID.

It then extracts a affirm half of the output containing the UUID and compares it to a hardcoded price. In the occasion that they match, it extracts a affirm share of swear from a file named “requests-sidebar-easy.png” and writes it to a contemporary file named “output” in a momentary list.

It sets the permissions of “output” to executable and runs it, which skill the malicious code embedded inner the image file is barely accomplished on macOS machines that meet a affirm standards.

An attacker created a malicious model of the “requests” package, and for the length of installation on macOS, a script concentrating on the system’s UUID is decoded and accomplished.

If the UUID suits a predetermined price, the attacker steals records from a affirm file inner the package.

The attacker distributed a seemingly standard PNG image (“requests-sidebar-easy.png”) that was worthy better than anticipated (17MB) and contained hidden records appended to its cease.

Although a conventional steganography methodology, the further records didn’t maintain an influence on how the image was displayed.

The attacker’s code identified this file as binary records, extracted the hidden records from a affirm offset inner the file, and wrote it to a contemporary file, which possible contained malicious code, which was then made executable and silently slouch on the sufferer’s machine

It compromised the Python package “requests-darwin-lite” by injecting a dropper code into its install hook by downloading a Trudge binary hidden inner a PNG image.

Analysts at Phylum suspect the binary to be OSX/Silver, a instrument equivalent to Cobalt Strike. The attackers themselves eradicated the major two contaminated variations, the third integrated the dropper nonetheless not the malicious payload, and the relaxation model looked smartly-organized. After discovery, PyPI took down your total package.