PyPi package backdoors Macs using the Sliver pen-testing suite

A new package mimicked the popular 'requests' library on the Python Package Index to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks.
Discovered by Phylum, the campaign involves several steps and obfuscation layers, including using steganography in a PNG image file to covertly install the Sliver payload on the target.
As of writing this, the malicious PyPI package has been removed, but its discovery is another sign of Sliver's increased adoption of remote access to corporate networks.
Its key features include custom implant generation, command, and control capabilities, post-exploitation tools/scripts, and rich attack emulation options.
Due to this, hackers started using Sliver in 2022 primarily as an alternative to the commercial pen-testing framework Cobalt Strike, which, after many years of abuse, has become easier to detect and block.
Later that year, Sliver was seen targeting macOS devices by researchers at SentinelOne, who discovered the implant deployed in what appeared to be a fake VPN app.
The adoption rate by cybercriminals continued to increase steadily in 2023 when Sliver was spotted in BYOVD attacks and ransomware operations.
A cybersecurity advisory by CISA and the FBI from February 2024 once again highlighted Sliver's rising status as one of the common implants used by hackers who breach networks after exploiting Ivanti Connect Secure and Policy Secure Gateways.
In the latest attack seen by Phylum, the attack begins with a malicious Python package for macOS named 'requests-darwin-lite,' which is presented as a benign fork of the popular 'requests' library.
The package, which is hosted on PyPI, contains Sliver's binary inside a 17MB PNG image file featuring the Requests logo.
During installation on a macOS system, a PyInstall class executes to decode a base64-encoded string to run a command that retrieves the system's UUID. The UUID is used to validate that the package is being installed on the actual target, comparing it to a predefined UUID. When there's a match, the Go binary inside the PNG file is read and extracted from a specific portion at the file's offset.
The Sliver binary is written to a local file with modified file permissions to make it executable and is eventually launched in the background.
Following Phylum's report of requests-darwin-lite to the PyPI team, the package has been removed.
The malicious versions were 2.27.1 and 2.27.2, while the subsequent 2.28.0 and 2.28.1 were missing the malicious modifications and installation hook.
Phylum hypothesizes that this was a highly targeted attack, especially when considering the UUID check, so the threat actors likely returned the package to a benign state to avoid drawing unwanted attention.
Last month, researchers reported on a malicious campaign called SteganoAmor that conceals malicious code inside images using steganography to deliver various malware tools onto targeted systems.
This campaign was widespread, with over 320 attacks targeting various sectors and countries.
PyPI suspends new user registration to block malware campaign.
Hackers poison source code from largest Discord bot platform.
New SteganoAmor attacks use steganography to target 320 orgs globally.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 13 May 2024 21:50:14 +0000


Cyber News related to PyPi package backdoors Macs using the Sliver pen-testing suite

PyPi package backdoors Macs using the Sliver pen-testing suite - A new package mimicked the popular 'requests' library on the Python Package Index to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. Discovered by Phylum, the campaign involves ...
5 months ago Bleepingcomputer.com
Pen Testing Across the Environment: External, Internal, and Wireless Assessments - Among other controls, penetration testing stands out because it simulates attackers' malicious activities and tactics to identify security gaps in business systems or applications. Because pen tests thoroughly investigate vulnerabilities, the scope ...
4 months ago Securityboulevard.com
How to Use Pen Testing to Find Vulnerabilities - One effective method for conducting an information security audit is through penetration testing. The contractor would conduct thorough testing and provide detailed penetration reports, complete with recommendations for safeguarding corporate data. ...
9 months ago Feeds.dzone.com
Microservices Resilient Testing Framework - As organizations increasingly embrace the microservices approach, the need for a resilient testing framework becomes important for the reliability, scalability, and security of these distributed systems. From preemptive problem-solving to the ...
10 months ago Feeds.dzone.com
How Does Automated API Testing Differ from Manual API Testing: Unveiling the Advantages - Delve into automated versus manual API testing for efficient software delivery. See how automation speeds validation while manual testing provides human insight, ensuring comprehensive coverage for robust development. In the domain of software ...
9 months ago Hackread.com
How to do Penetration Testing effectively - In today's digital era, penetration testing has become crucial to an organisation's cybersecurity strategy. From network penetration testing to web application and mobile app penetration testing, a comprehensive pen test covers a wide range of attack ...
5 months ago Securityboulevard.com
Cybercriminals pose as "helpful" Stack Overflow users to push malware - Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware-answering users' questions by promoting a malicious PyPi package that installs Windows information-stealing malware. Sonatype researcher Ax Sharma discovered ...
5 months ago Bleepingcomputer.com
DPython's Poisoned Package: Another 'Blank Grabber' Malware in PyPI - Python Package Index is a platform that offers an extensive range of packages to simplify and enhance the development process. Malicious actors regularly upload phishing packages in the platform's repository aimed at delivering malware to steal the ...
9 months ago Imperva.com
Is Once-Yearly Pen Testing Enough? A Guide to Periodic Vulnerability Assessment - Periodic vulnerability assessment (pen testing) is one of the essential components of cybersecurity. It helps companies identify and address any gaps in their network security posture before malicious actors can exploit these gaps. Pen testing, or ...
1 year ago Thehackernews.com
Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
1 year ago Heimdalsecurity.com
Application Security Testing Explained - That's precisely why application security is a top priority for security teams and a crucial consideration for DevOps. Application security testing is like giving your software a thorough health check to ensure it's robust and resilient against cyber ...
9 months ago Securityboulevard.com
Cybercriminals Take Advantage of Weaknesses in Sunlogin to Install Sliver Command and Control System - Cybercriminals are taking advantage of known weaknesses in Sunlogin software to deploy the Sliver command-and-control framework for post-exploitation activities. This was discovered by AhnLab Security Emergency response Center, which found that ...
1 year ago Thehackernews.com
Get 9 Courses on Ethical Hacking for Just $50 - TL;DR: Kickstart a lucrative ethical hacking career or protect your own business with The Complete 2024 Penetration Testing & Ethical Hacking Certification Training Bundle, now just $49.99. Ethical hackers are in high demand all over the world, in ...
5 months ago Techrepublic.com
116 Malicious PyPI Packages Downloaded Over 10,000 Times - A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor. In certain instances, the ultimate payload consists of ...
10 months ago Cybersecuritynews.com
5 Reasons Why Your Business Needs Penetration Testing - Penetration testing is an essential security measure for businesses in the digital age. Cyber-attacks and data breaches are becoming more frequent, making it necessary for organizations to protect their sensitive data and web applications. A ...
1 year ago Tripwire.com
Product showcase: ImmuniWeb AI Platform - ImmuniWeb is a global application security company that currently serves over 1,000 customers from more than 50 countries. ImmuniWeb AI Platform has received numerous prestigious awards and industry recognitions for intelligent automation and ...
10 months ago Helpnetsecurity.com
Debunking Popular Myths About Vulnerability Management - The irony is that the right vulnerability management solutions can actually take the weight off - your security team, your organization, and your other assets. Understanding how means debunking some of the more popular myths around this topic and ...
10 months ago Securityboulevard.com
Threat Actors Turn To SLIVER As Open Source Malware Toolkit - A new open source malware toolkit, called SLIVER, is being used by threat actors to create and spread malicious programs. SLIVER is a modularized, open-source malware framework that allows users to easily build and deploy malicious Visual Basic ...
1 year ago Thehackernews.com
Key software patch testing best practices - To ensure a predictable rollout when a patch is deployed across your network, it is important to test it first in a nonproduction environment. Companies install software and firmware patches to fix bugs, remove vulnerabilities and add new features, ...
6 months ago Techtarget.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
1 year ago Securityaffairs.com
How AI is revolutionizing "shift left" testing in API security - Catching coding errors in API preproduction, before they are spun up and go live is critical in preventing exploitable vulnerabilities. For developers who are not security experts, fixing code or knowing business logic abuse possibilities can be ...
11 months ago Helpnetsecurity.com
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
5 months ago Securitylabs.datadoghq.com
The Dual Role AI Plays in Cybersecurity: How to Stay Ahead - There's a wide range of AI-enabled solutions available for various business use cases, and organizations are increasingly recognizing their value. According to a survey, 33 percent of organizations are currently leveraging generative AI in at least ...
9 months ago Bleepingcomputer.com
Apple and Google add alerts for unknown Bluetooth trackers to iOS, Android - On Monday, Apple and Google jointly announced a new privacy feature that warns Android and iOS users when an unknown Bluetooth tracking device travels with them. Named Detecting Unwanted Location Trackers, the new feature started rolling out ...
5 months ago Bleepingcomputer.com
What is App Security? SAST, DAST, IAST, and RASP. - Effective application security relies on well-defined processes and a diverse array of specialized tools to provide protection against unauthorized access and attacks. Security testing is a critical part of an application security strategy and should ...
10 months ago Feeds.dzone.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)