Cybersecurity researchers have recognized a malicious Python bundle that purports to be an offshoot of the favored requests library and has been discovered concealing a Golang-version of the Sliver command-and-control (C2) framework inside a PNG picture of the mission’s brand.
The bundle using this steganographic trickery is requests-darwin-lite, which has been downloaded 417 instances previous to it being taken down from the Python Package deal Index (PyPI) registry.
Requests-darwin-lite “gave the impression to be a fork of the ever-popular requests bundle with a number of key variations, most notably the inclusion of a malicious Go binary packed into a big model of the particular requests side-bar PNG brand,” software program provide chain security agency Phylum stated.
The modifications have been launched within the bundle’s setup.py file, which has been configured to decode and execute a Base64-encoded command to collect the system’s Universally Distinctive Identifier (UUID).
In what’s an fascinating twist, the an infection chain proceeds provided that the identifier matches a selected worth, implying that the creator(s) behind the bundle is trying to breach a particular machine to which they’re already in possession of the identifier obtained by way of another means.
This raises two potentialities: Both it is a extremely focused assault or it is some kind of a testing course of forward of a broader marketing campaign.
Ought to the UUID match, the requests-darwin-lite proceeds to learn knowledge from a PNG file named “requests-sidebar-large.png,” which bears similarities with the authentic requests bundle that ships with the same file referred to as “requests-sidebar.png.”
What’s completely different right here is that whereas the actual brand embedded inside requests has a file dimension of 300 kB, the one contained inside requests-darwin-lite is round 17 MB.
The binary knowledge hid within the PNG picture is the Golang-based Sliver, an open-source C2 framework that is designed for use by security professionals of their purple crew operations.
The precise finish aim of the bundle is at present unclear, however the improvement is as soon as once more an indication that open-source ecosystems proceed to be a gorgeous vector to distribute malware.
With a overwhelming majority of codebases counting on open-source code, the regular inflow of malware into npm, PyPI, and different bundle registries, to not point out the current XZ Utils episode, has highlighted the necessity for addressing points in a scientific method that in any other case can “derail giant swaths of the online.”
