Security researchers have discovered a new campaign that attempts to gain access to corporate networks by targeting macOS devices and applying PyPI impersonation/typosquatting and steganography to compromise the endpoints.
Phylum researchers, who first observed the attack, have created unnamed threat actors that appear to be a fork of the ‘requests’ library on the Python Package Index (PyPI).
PyPI is by far the most popular open source code repository for Python in the world and is often used as a means of deploying and distributing malware.
Bad intention
The library is called requests-darwin-lite and is presented as a harmless fork of the “requests” library. It comes with a 17 MB PNG image with the Requests logo. However, that image also hides the code for the Sliver C2 enemy network.
When victims download and run the package, Sliver is installed and runs in the background. Like Cobalt Strike, Sliver is a cross-platform, open-source adversarial framework testing suite used for “read teaming” – a process for simulating cyber attacks. IT teams often use read teaming as a way to test the strength of their cyber defenses, but it has been increasingly abused by criminals in recent years.
Key features of Sliver include custom implant generation, C2 capabilities, post-exploitation tools and scripts, and more.
Typically, hackers turn to Cobalt Strike, but this adversary simulation tool has been abused and compromised to such an extent that IT teams have become significantly better at detecting and blocking malicious activity.
Following the discovery, Phylum reported its findings to the PyPI management team, who removed the malicious package from the platform. The researchers believe it was a highly targeted attack, but the targets remain unknown, as do the identities of the attackers.
Through BleepingComputer