Cyber Security

Malicious Python Package Hides Sliver C2 Framework Within PNG File

An attacker published a malicious package on PyPI named “requests-darwin-lite,” masquerading as a variant of the popular “requests” library, which contained a hidden Golang binary within an unusually large version of the legitimate “requests” logo image. 

The binary’s execution was conditional, triggering only on specific system identifiers, suggesting a targeted attack or a test phase before wider distribution. 

The legitimate requests package uses the `cmdclass` attribute in its `` file to customize test execution during installation, which defines a class named `PyTest` that inherits from TestCommand. 

This class overrides several methods to configure arguments for the `pytest` tool, and the `initialize_options` method attempts to import `multiprocessing` and use the `cpu_count` function to determine the number of cores and configure parallel testing accordingly.

If importing `multiprocessing` fails, it defaults to running tests with one process.  

The malicious requests-darwin-lite package modifies the `run` method of the custom `PyInstall` class to check if the system is macOS, and if it is, it decodes a base64-encoded string containing a command to get the system’s UUID.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

It then extracts a specific portion of the output containing the UUID and compares it to a hardcoded value. If they match, it extracts a specific section of content from a file named “requests-sidebar-large.png” and writes it to a new file named “output” in a temporary directory.

It sets the permissions of “output” to executable and runs it, which suggests the malicious code embedded within the image file is only executed on macOS machines that meet a specific criteria. 

An attacker created a malicious version of the “requests” package, and during installation on macOS, a script targeting the system’s UUID is decoded and executed.

If the UUID matches a predetermined value, the attacker steals data from a specific file within the package. 

The requested project logo

The attacker distributed a seemingly normal PNG image (“requests-sidebar-large.png”) that was much larger than expected (17MB) and contained hidden data appended to its end.

Although a basic steganography technique, the extra data did not affect how the image was displayed. 

The attacker’s code identified this file as binary data, extracted the hidden data from a specific offset within the file, and wrote it to a new file, which likely contained malicious code, which was then made executable and silently run on the victim’s machine

The modified install hook from requests-darwin-lite’s later versions

It compromised the Python package “requests-darwin-lite” by injecting a dropper code into its install hook by downloading a Go binary hidden inside a PNG image. 

Analysts at Phylum suspect the binary to be OSX/Silver, a tool similar to Cobalt Strike. The attackers themselves removed the first two infected versions, the third included the dropper but not the malicious payload, and the last version appeared clean. After discovery, PyPI took down the entire package. 

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

8 hours ago

Beware of Free VPNs that Install Malicious Botnets

Virtual Private Networks (VPNs) have become essential tools for internet users. However, the allure of…

12 hours ago

HPE Critical 3PAR Processor Flaw Let Remote Attackers Bypass Authentication

Hewlett Packard Enterprise (HPE) has addressed a critical vulnerability in its 3PAR Service Processor software…

15 hours ago

Chrome Security Update: Patch for Multiple Flaws that Leads to Remote Code Execution

Google has announced the release of Chrome 126, a critical security update that addresses 10…

16 hours ago

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop

A recent update to the CrowdStrike Falcon sensor is causing major issues for Windows users…

17 hours ago

Oracle WebLogic Server Vulnerability Allows Complete Server Take Over

A critical vulnerability identified as CVE-2024-21181 has been discovered in the Oracle WebLogic Server, posing…

18 hours ago