Python软件包潜藏Sliver C2框架

admin 2024年5月14日18:59:33评论8 views字数 3199阅读10分39秒阅读模式

Python软件包潜藏Sliver C2框架

Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the project's logo.

网络安全研究人员已经确认了一个恶意的Python包,声称是流行的requests库的一个分支,发现其中隐藏了一个Sliver命令和控制(C2)框架的Golang版本,该框架被嵌入在该项目标志的PNG图像中。

The package employing this steganographic trickery is requests-darwin-lite, which has been downloaded 417 times prior to it being taken down from the Python Package Index (PyPI) registry.

这个使用隐写术诡计的包是requests-darwin-lite,它在从Python包索引(PyPI)注册表中删除之前已经被下载了417次。

Requests-darwin-lite "appeared to be a fork of the ever-popular requests package with a few key differences, most notably the inclusion of a malicious Go binary packed into a large version of the actual requests side-bar PNG logo," software supply chain security firm Phylum said.

Requests-darwin-lite“似乎是一个ever-popular requests包的分支,有一些关键的区别,尤其是包含了一个恶意的Go二进制文件,它被打包在实际requests侧边栏PNG标志的一个大版本中,”软件供应链安全公司Phylum表示。

The changes have been introduced in the package's setup.py file, which has been configured to decode and execute a Base64-encoded command to gather the system's Universally Unique Identifier (UUID).

这些更改已经在包的setup.py文件中引入,该文件已经配置为解码和执行一个Base64编码的命令,以收集系统的通用唯一标识符(UUID)。

In what's an interesting twist, the infection chain proceeds only if the identifier matches a particular value, implying that the author(s) behind the package is looking to breach a specific machine to which they are already in possession of the identifier obtained through some other means.

有趣的是,只有在标识符匹配特定值时,感染链才会继续进行,这意味着包的作者正在寻找入侵特定机器,他们已经通过其他途径获得标识符。

This raises two possibilities: Either it's a highly targeted attack or it's some sort of a testing process ahead of a broader campaign.

这引发了两种可能性:要么是高度针对性的攻击,要么是某种更广泛活动的测试过程。

Should the UUID match, the requests-darwin-lite proceeds to read data from a PNG file named "requests-sidebar-large.png," which bears similarities with the legitimate requests package that ships with a similar file called "requests-sidebar.png."

如果UUID匹配,requests-darwin-lite将继续从一个名为“requests-sidebar-large.png”的PNG文件中读取数据,该文件与包含名为“requests-sidebar.png”的合法requests包类似。

What's different here is that while the real logo embedded within requests has a file size of 300 kB, the one contained inside requests-darwin-lite is around 17 MB.

这里的不同之处在于,虽然嵌入在requests中的真实标志具有300 kB的文件大小,但包含在requests-darwin-lite中的标志约为17 MB。

The binary data concealed in the PNG image is the Golang-based Sliver, an open-source C2 framework that's designed to be used by security professionals in their red team operations.

隐藏在PNG图像中的二进制数据是基于Golang的Sliver,这是一个开源的C2框架,旨在供安全专业人员在红队操作中使用。

The exact end goal of the package is currently unclear, but the development is once again a sign that open-source ecosystems continue to be an attractive vector to distribute malware.

目前包的确切目标尚不清楚,但这一发展再次表明,开源生态系统继续成为分发恶意软件的有吸引力的矢量。

With a vast majority of codebases relying on open-source code, the steady influx of malware into npm, PyPI, and other package registries, not to mention the recent XZ Utils episode, has highlighted the need for addressing issues in a systematic manner that otherwise can "derail large swaths of the web."

由于绝大多数代码库依赖于开源代码,恶意软件持续涌入npm、PyPI和其他包注册表,更不用说最近的XZ Utils事件,凸显了以系统化方式解决问题的必要性,否则可能“使网络的大片区域陷入混乱”。

参考资料

[1]https://thehackernews.com/2024/05/malicious-python-package-hides-sliver.html

关注我们

        欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。

原文始发于微信公众号(知机安全):Python软件包潜藏Sliver C2框架

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月14日18:59:33
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Python软件包潜藏Sliver C2框架https://cn-sec.com/archives/2739498.html

发表评论

匿名网友 填写信息