Description : A malicious Python package, requests-darwin-lite, was discovered hiding the Golang-based Sliver C2 framework inside a fake requests library logo using steganography, targeting specific macOS systems.
United States - In a worrying trend, cybersecurity researchers have uncovered a malicious Python package masquerading as an offshoot of the popular requests library, but with a sinister twist.
This malicious package conceals a Golang version of the Sliver command-and-control (C2) framework within a seemingly innocent PNG image of the requests library's logo, an act of steganography that emphasizes the growing sophistication of supply chain attacks.
The package, titled requests-darwin-lite, was available for download from the Python Package Index (PyPI) and has been downloaded 417 times before it was finally taken down.
Read More:
The Malicious Package: Requests-Darwin-Lite
The requests-darwin-lite package presented itself as a fork of the highly popular requests library, a standard tool for handling HTTP requests in Python applications.
However, unlike the genuine requests library, this malicious variant included a hidden payload – a Go binary embedded within a significantly larger PNG image file that closely resembled the real logo used by requests.
According to Phylum, a software supply chain security firm, this malicious package’s setup.py
file contained code designed to decode and execute a Base64-encoded command.
This command was used to gather the compromised system's Universally Unique Identifier (UUID), but only if the system was running Apple macOS. This is indicative of a highly targeted attack, one that appears to be aimed solely at specific macOS systems with an already identified UUID.
Steganography: Hiding Malicious Code in Plain Sight
What Is Steganography in Cybersecurity?
Steganography, the practice of concealing data within seemingly innocuous files, has long been a technique used by malicious actors to evade detection.
By embedding malicious code within the logo image, the attackers ensured that the package looked legitimate at first glance, allowing it to evade suspicion and scrutiny from automated security tools and users alike.
In the case of requests-darwin-lite, the malicious PNG file was significantly larger than the standard image used in the official requests library. While the legitimate requests-sidebar.png logo is approximately 300 kB, the altered image in the malicious package was a whopping 17 MB in size.
This larger file size allowed the attackers to hide the Sliver C2 framework, a Golang-based tool often used by security professionals in red team operations. The framework is typically employed for simulating cyberattacks, but in the wrong hands, it can be repurposed for malicious intent.
Targeted Attack or Testing?
The infection chain activated only if the UUID of the compromised system matched a pre-defined value embedded in the malicious package.
This raises several possibilities: the most likely scenario is that the attacker(s) were targeting a specific machine or set of machines whose UUIDs they had already obtained.
This level of precision suggests that this was not a broad campaign aimed at infecting a large number of systems indiscriminately, but rather a highly targeted attack.
Another possibility is that this was a test phase for a larger operation, with the attackers using the package to validate their methodology and execution before launching a wider campaign.
The exact end goal remains unclear, but the specificity of the UUID match hints at careful planning and preparation by the perpetrators.
Open-Source Software: A Growing Attack Vector
The Risks of Open-Source Ecosystems
The discovery of requests-darwin-lite is just the latest in a series of attacks targeting open-source software ecosystems. With the majority of modern applications relying heavily on open-source code, these ecosystems have become an attractive vector for distributing malware.
The popularity of npm, PyPI, and other package registries has made them prime targets for threat actors seeking to exploit developers' trust in widely used libraries and modules.
Interested:
A notable recent example is the XZ Utils episode, in which a legitimate and widely-used open-source compression utility was compromised, allowing attackers to insert malicious code into the software’s supply chain.
These incidents underscore the urgent need for more robust security practices within the open-source community, as well as better detection mechanisms to identify and remove malicious packages before they can cause harm.
How Stealthy Techniques Evade Detection
Stealthy techniques like steganography enable attackers to avoid detection by automated security tools that scan for obvious malware signatures.
By embedding malicious code within non-suspicious files, attackers can remain hidden for longer periods, allowing them to spread their malware to more systems before discovery.
This is particularly concerning in open-source ecosystems where the volume of packages and the speed of updates make it difficult for security teams to thoroughly vet every release.
Phylum's Analysis of the Threat
According to Phylum's analysis, the malicious code in requests-darwin-lite was well-crafted and cleverly concealed. The package made minimal modifications to the legitimate requests library, ensuring that it retained much of the functionality expected by developers who might unwittingly download and use it.
This allowed the attackers to maintain a low profile while quietly collecting data and executing their malicious payload on compromised systems.
Phylum also noted that the attack bore similarities to another recent incident involving a rogue npm package called vue2util. This package masqueraded as a helper utility but was, in fact, designed to execute a cryptojacking scheme that targeted victims’ USDT tokens.
The package exploited the ERC20 contract approval mechanism, granting unlimited approval to the attackers’ contract address and allowing them to drain the victims’ tokens without detection.
These incidents highlight the increasing sophistication of supply chain attacks and the need for more comprehensive security measures to protect against these threats.
Preventing Supply Chain Attacks
The Role of Developers
For developers, ensuring the security of their software supply chain has never been more critical. Some best practices for mitigating the risks posed by malicious packages include:
- Verifying the Source: Before installing a package, developers should verify that it comes from a trusted source. Checking the package's maintainers, version history, and other metadata can help identify red flags.
- Using Package Signatures: Some package registries, like PyPI, support signed packages, which provide a higher level of assurance that the code has not been tampered with. Developers should prioritize using signed packages whenever possible.
- Scanning for Malware: Automated tools that scan for malware in dependencies can help catch malicious code before it is executed. These tools analyze code for known vulnerabilities and suspicious patterns, offering an additional layer of protection.
- Regular Updates: Keeping dependencies up to date is essential for protecting against newly discovered vulnerabilities. Attackers often exploit outdated packages that have known security flaws.
Security Measures for Open-Source Ecosystems
For package registries and open-source communities, improving security is a multi-faceted challenge. Some potential measures to combat malicious packages include:
- Stronger Vetting Processes: Increasing the scrutiny of newly published packages can help catch malicious code before it is made available to the public. Automated tools that analyze package behavior, combined with manual reviews by security experts, can enhance detection.
- Greater Transparency: Requiring more transparency from package maintainers, such as providing detailed changelogs and explanations for new releases, can help build trust and reduce the likelihood of malicious packages slipping through the cracks.
- Collaboration with Security Researchers: Open-source communities should work closely with security researchers to identify and respond to new threats. Establishing bug bounty programs and other incentives for reporting vulnerabilities can encourage more active participation in securing the ecosystem.
The discovery of requests-darwin-lite and its use of steganography to hide the Sliver C2 framework within a PNG image highlights the ongoing threat posed by supply chain attacks in open-source ecosystems.
As malicious actors become increasingly sophisticated in their methods, the need for robust security practices and vigilance within the developer community has never been more apparent.
Developers and security professionals must work together to secure the open-source ecosystem, ensuring that the code we all rely on remains safe from compromise.
By remaining aware of these threats and taking proactive steps to mitigate them, we can protect the software supply chain and safeguard the integrity of the tools that power modern development.
Don't Miss: