Malicious Python Package Discovered Concealing Golang Command-and-Control Framework
Cybersecurity researchers have unveiled a nefarious Python package masquerading as an extension of the widely-used requests library. This malicious package, named requests-darwin-lite, has been found to hide a Golang variant of the Sliver command-and-control (C2) framework within an image file of the project’s logo. This method of concealing harmful binaries within image files is known as steganography, a technique that complicates detection efforts.
The impacted package accumulated 417 downloads before its removal from the Python Package Index (PyPI) registry. According to software supply chain security firm Phylum, requests-darwin-lite appeared to be a fork of the legitimate requests library. However, it bore significant alterations, notably the inclusion of a harmful Go binary intricately embedded in a larger version of the authentic requests sidebar PNG logo.
Analysis has revealed that changes were made to the setup.py file of the requests-darwin-lite package. This configuration is designed to decode and carry out a Base64-encoded command aimed at capturing the system’s Universally Unique Identifier (UUID), specifically targeting machines operating on Apple macOS. This targeting is indicative of a calculated approach, suggesting the authors are keen on compromising a select range of systems.
This incident echoes a recent discovery by the same firm regarding a rogue npm package named vue2util. Positioned as a utility tool, it similarly harbors malicious intent, executing a cryptojacking scheme aimed at siphoning USDT tokens from unsuspecting victims. The manipulation exploited the ERC20 contract approval process, granting unlimited access to the attackers, thus facilitating a token drain.
The requests-darwin-lite package further demonstrates an interesting infection chain that is initiated only when the UUID matches a predefined value. This points to potentially advanced knowledge of the targeted systems, raising questions about the attackers’ specific intentions—whether it is a closely-focused assault or a preliminary phase before launching a larger-scale campaign.
Upon a UUID match, the requests-darwin-lite package retrieves data from a PNG file named "requests-sidebar-large.png." In contrast to its legitimate counterpart, which has a file size of approximately 300 kB, the version included in requests-darwin-lite is nearly 17 MB. This discrepancy is significant in identifying the malicious variant, as it raises suspicion regarding its true contents.
The concealed binary within the image has been identified as a version of Sliver, an open-source C2 framework intended for use in red team operations by security professionals. However, the exact objectives of the requests-darwin-lite package remain ambiguous, underscoring the ongoing threat posed by open-source ecosystems as attractive vectors for malware distribution.
The ramifications of this incident serve as a stark reminder of the continuous influx of malware targeting package registries like npm and PyPI, particularly in light of recent security breaches such as the XZ Utils compromise. The extensive reliance on open-source code across codebases underscores the pressing need for systematic attention to vulnerabilities that could undermine large segments of the digital infrastructure.
This incident primarily targets developers and organizations utilizing open-source libraries in their projects, emphasizing the importance of vigilance in software supply chain security. As attackers continue to refine their methods, the use of the MITRE ATT&CK framework could aid in understanding the tactics and techniques employed during such attacks, including initial access and persistence through the misuse of benign software packages. Addressing such vulnerabilities is critical to safeguarding against potential breaches that threaten the integrity and security of digital assets.
