Python软件包潜藏Sliver C2框架

Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the project's logo.

网络安全研究人员已经确认了一个恶意的Python包，声称是流行的requests库的一个分支，发现其中隐藏了一个Sliver命令和控制（C2）框架的Golang版本，该框架被嵌入在该项目标志的PNG图像中。

The package employing this steganographic trickery is requests-darwin-lite, which has been downloaded 417 times prior to it being taken down from the Python Package Index (PyPI) registry.

这个使用隐写术诡计的包是requests-darwin-lite，它在从Python包索引（PyPI）注册表中删除之前已经被下载了417次。

Requests-darwin-lite "appeared to be a fork of the ever-popular requests package with a few key differences, most notably the inclusion of a malicious Go binary packed into a large version of the actual requests side-bar PNG logo," software supply chain security firm Phylum said.

Requests-darwin-lite“似乎是一个ever-popular requests包的分支，有一些关键的区别，尤其是包含了一个恶意的Go二进制文件，它被打包在实际requests侧边栏PNG标志的一个大版本中，”软件供应链安全公司Phylum表示。

The changes have been introduced in the package's setup.py file, which has been configured to decode and execute a Base64-encoded command to gather the system's Universally Unique Identifier (UUID).

这些更改已经在包的setup.py文件中引入，该文件已经配置为解码和执行一个Base64编码的命令，以收集系统的通用唯一标识符（UUID）。

In what's an interesting twist, the infection chain proceeds only if the identifier matches a particular value, implying that the author(s) behind the package is looking to breach a specific machine to which they are already in possession of the identifier obtained through some other means.

有趣的是，只有在标识符匹配特定值时，感染链才会继续进行，这意味着包的作者正在寻找入侵特定机器，他们已经通过其他途径获得标识符。

This raises two possibilities: Either it's a highly targeted attack or it's some sort of a testing process ahead of a broader campaign.

这引发了两种可能性：要么是高度针对性的攻击，要么是某种更广泛活动的测试过程。

Should the UUID match, the requests-darwin-lite proceeds to read data from a PNG file named "requests-sidebar-large.png," which bears similarities with the legitimate requests package that ships with a similar file called "requests-sidebar.png."

如果UUID匹配，requests-darwin-lite将继续从一个名为“requests-sidebar-large.png”的PNG文件中读取数据，该文件与包含名为“requests-sidebar.png”的合法requests包类似。

What's different here is that while the real logo embedded within requests has a file size of 300 kB, the one contained inside requests-darwin-lite is around 17 MB.

这里的不同之处在于，虽然嵌入在requests中的真实标志具有300 kB的文件大小，但包含在requests-darwin-lite中的标志约为17 MB。

The binary data concealed in the PNG image is the Golang-based Sliver, an open-source C2 framework that's designed to be used by security professionals in their red team operations.

隐藏在PNG图像中的二进制数据是基于Golang的Sliver，这是一个开源的C2框架，旨在供安全专业人员在红队操作中使用。

The exact end goal of the package is currently unclear, but the development is once again a sign that open-source ecosystems continue to be an attractive vector to distribute malware.

目前包的确切目标尚不清楚，但这一发展再次表明，开源生态系统继续成为分发恶意软件的有吸引力的矢量。

With a vast majority of codebases relying on open-source code, the steady influx of malware into npm, PyPI, and other package registries, not to mention the recent XZ Utils episode, has highlighted the need for addressing issues in a systematic manner that otherwise can "derail large swaths of the web."

由于绝大多数代码库依赖于开源代码，恶意软件持续涌入npm、PyPI和其他包注册表，更不用说最近的XZ Utils事件，凸显了以系统化方式解决问题的必要性，否则可能“使网络的大片区域陷入混乱”。

参考资料

[1]https://thehackernews.com/2024/05/malicious-python-package-hides-sliver.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：Python软件包潜藏Sliver C2框架