Malicious Python Package Hides Sliver C2 Framework Within PNG File

An attacker published a malicious package on PyPI named “requests-darwin-lite,” masquerading as a variant of the popular “requests” library, which contained a hidden Golang binary within an unusually large version of the legitimate “requests” logo image. 

The binary’s execution was conditional, triggering only on specific system identifiers, suggesting a targeted attack or a test phase before wider distribution. 

The legitimate requests package uses the `cmdclass` attribute in its `setup.py` file to customize test execution during installation, which defines a class named `PyTest` that inherits from TestCommand. 

This class overrides several methods to configure arguments for the `pytest` tool, and the `initialize_options` method attempts to import `multiprocessing` and use the `cpu_count` function to determine the number of cores and configure parallel testing accordingly.

If importing `multiprocessing` fails, it defaults to running tests with one process.  

The malicious requests-darwin-lite package modifies the `run` method of the custom `PyInstall` class to check if the system is macOS, and if it is, it decodes a base64-encoded string containing a command to get the system’s UUID.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

It then extracts a specific portion of the output containing the UUID and compares it to a hardcoded value. If they match, it extracts a specific section of content from a file named “requests-sidebar-large.png” and writes it to a new file named “output” in a temporary directory.

It sets the permissions of “output” to executable and runs it, which suggests the malicious code embedded within the image file is only executed on macOS machines that meet a specific criteria. 

An attacker created a malicious version of the “requests” package, and during installation on macOS, a script targeting the system’s UUID is decoded and executed.

If the UUID matches a predetermined value, the attacker steals data from a specific file within the package. 

The attacker distributed a seemingly normal PNG image (“requests-sidebar-large.png”) that was much larger than expected (17MB) and contained hidden data appended to its end.

Although a basic steganography technique, the extra data did not affect how the image was displayed. 

The attacker’s code identified this file as binary data, extracted the hidden data from a specific offset within the file, and wrote it to a new file, which likely contained malicious code, which was then made executable and silently run on the victim’s machine

It compromised the Python package “requests-darwin-lite” by injecting a dropper code into its install hook by downloading a Go binary hidden inside a PNG image. 

Analysts at Phylum suspect the binary to be OSX/Silver, a tool similar to Cobalt Strike. The attackers themselves removed the first two infected versions, the third included the dropper but not the malicious payload, and the last version appeared clean. After discovery, PyPI took down the entire package. 

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free