Security researchers have detected a new campaign that seeks to gain access to corporate networks by targeting macOS devices and using PyPI spoofing/typing and steganography to compromise endpoints.
Phylum researchers, who first observed the attack, anonymous threat actors created what appears to be a fork of the “requests” library in the Python Package Index (PyPI).
PyPI is by far the most popular open source Python code repository in the world and is often used as a vehicle for malware deployment and distribution.
Bad intentions
The library is called requests-darwin-lite and comes as a harmless fork of the “requests” library. It comes with a 17MB PNG image featuring the Requests logo. However, that image also hides the code of the Sliver C2 adversary network.
When victims download and run the package, Sliver is installed and starts running in the background. Like Cobalt Strike, Sliver is an open-source, cross-platform adversarial framework test suite used for “read gearing,” a process of simulating cyber attacks. Scanning equipment is often used by IT teams as a way to test the robustness of their cyber defenses, but in recent years it has been increasingly abused by criminals.
Sliver's main attributes are custom implant generation, C2 capability, post-exploitation tools and scripts, and more.
Typically, hackers will opt for Cobalt Strike, but this adversary simulation tool has been abused and compromised to such an extent that IT teams have become significantly better at detecting and blocking malicious activity.
After making the discovery, Phylum reported its findings to the PyPI management team, which removed the malicious package from the platform. Researchers believe this is a highly targeted attack, but the targets remain unknown, as does the identity of the attackers.
Through beepcomputer