TapTechNews May 14 news, hackers recently forged a new software package library, imitating the popular 'requests' library on the Python Package Index (PyPI), using the SliverC2 cross-platform implantation framework, targeting Apple macOS devices, specifically stealing enterprise network access.
Security expert Phylum stated that this type of attack is relatively complex, involving multiple steps and obfuscation layers, including secretly installing the Sliver framework on the target using steganography in PNG image files.
TapTechNews Note: Sliver is a cross-platform (Windows, macOS, Linux) open-source adversarial framework testing suite designed for 'red team' operations to simulate the actions of adversaries when testing network defenses.
Its main features include custom implant generation, command and control (C2) functionality, post-development tools/scripts, and a wide range of attack simulation options.
Phylum first discovered a malicious Python macOS software package called 'requests-darwin-lite', which was a benign fork of the mainstream 'requests' library.
The package was hosted on PyPI and contained the Sliver binary file in a 17MB PNG image file with the Requests logo.
During the installation process on macOS systems, the PyInstall class executes a command to decode a base64 encoded string (ioreg) to retrieve the system's UUID (Universal Unique Identifier).
When a match is found, the Go binary file from the PNG file is read and extracted from a specific part of the file offset. The Sliver binary file is written to a local file, the file permissions are modified to make it executable, and it is ultimately launched in the background.
After Phylum reported requests-darwin-lite to the PyPI team, the package has been removed by the official.