Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo

Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo

May 13, 2024 at 03:09AM

Cybersecurity researchers discovered a malicious Python package, requests-darwin-lite, concealing a Golang version of the Sliver command-and-control framework within a PNG image of the project’s logo. The package, downloaded 417 times before being removed, aimed to gather system identifiers and raise concerns about open-source malware distribution. (Words: 50)

From the meeting notes, it is evident that cybersecurity researchers have discovered a malicious Python package, “requests-darwin-lite,” which masquerades as a variant of the widely-used requests library. This deceptive package embeds a Golang version of the Sliver command-and-control framework within a PNG image of the project’s logo.

The package was downloaded 417 times before being removed from the Python Package Index (PyPI) registry. It has been found to include a malicious Go binary packed into an enlarged version of the actual requests sidebar PNG logo. Furthermore, the package’s setup.py file is configured to decode and execute a Base64-encoded command to gather the system’s Universally Unique Identifier (UUID).

Moreover, the infection chain only proceeds if the UUID matches a specific value, suggesting a highly targeted attack or a testing process ahead of a broader campaign. The package reads data from a PNG file named “requests-sidebar-large.png,” which is significantly larger than the legitimate requests package’s file size. This larger file contains concealed Golang-based Sliver binary data, presenting potential risk.

This discovery underscores the ongoing challenge of spreading malware via open-source ecosystems. The incident emphasizes the need to systematically address issues in package registries to prevent the proliferation of malware and safeguard the integrity of codebases.

Full Article