https://www.bleepingcomputer.com/news/security/pypi-package-backdoors-macs-using-the-sliver-pen-testing-suite/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + Dell API abused to steal 49 million customer records in data breach Dell API abused to steal 49 million customer records in data breach + Ascension redirects ambulances after suspected ransomware attack Ascension redirects ambulances after suspected ransomware attack + Google fixes fifth Chrome zero-day exploited in attacks this year Google fixes fifth Chrome zero-day exploited in attacks this year + British Columbia investigating cyberattacks on government networks British Columbia investigating cyberattacks on government networks + Apple backports fix for RTKit iOS zero-day to older iPhones Apple backports fix for RTKit iOS zero-day to older iPhones + FCC reveals Royal Tiger, its first tagged robocall threat actor FCC reveals Royal Tiger, its first tagged robocall threat actor + INC ransomware source code selling on hacking forums for $300,000 INC ransomware source code selling on hacking forums for $300,000 + Botnet sent millions of emails in LockBit Black ransomware campaign Botnet sent millions of emails in LockBit Black ransomware campaign * Tutorials + Latest + Popular + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to open a Windows 11 Command Prompt as Administrator How to open a Windows 11 Command Prompt as Administrator + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Security * PyPi package backdoors Macs using the Sliver pen-testing suite * * PyPi package backdoors Macs using the Sliver pen-testing suite By Bill Toulas * May 13, 2024 * 05:50 PM * 0 Sliver A new package mimicked the popular 'requests' library on the Python Package Index (PyPI) to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. Discovered by Phylum, the campaign involves several steps and obfuscation layers, including using steganography in a PNG image file to covertly install the Sliver payload on the target. As of writing this, the malicious PyPI package has been removed, but its discovery is another sign of Sliver's increased adoption of remote access to corporate networks. Sliver is a cross-platform (Windows, macOS, Linux) open-source adversarial framework testing suite designed for "red team" operations, simulating adversary actions when testing network defenses. Its key features include custom implant generation, command, and control (C2) capabilities, post-exploitation tools/scripts, and rich attack emulation options. Due to this, hackers started using Sliver in 2022 primarily as an alternative to the commercial pen-testing framework Cobalt Strike, which, after many years of abuse, has become easier to detect and block. Later that year, Sliver was seen targeting macOS devices by researchers at SentinelOne, who discovered the implant deployed in what appeared to be a fake VPN app. The adoption rate by cybercriminals continued to increase steadily in 2023 when Sliver was spotted in BYOVD attacks and ransomware operations. A cybersecurity advisory by CISA and the FBI from February 2024 once again highlighted Sliver's rising status as one of the common implants used by hackers who breach networks after exploiting Ivanti Connect Secure and Policy Secure Gateways. Targeting macOS with Sliver In the latest attack seen by Phylum, the attack begins with a malicious Python package for macOS named 'requests-darwin-lite,' which is presented as a benign fork of the popular 'requests' library. The package, which is hosted on PyPI, contains Sliver's binary inside a 17MB PNG image file featuring the Requests logo. During installation on a macOS system, a PyInstall class executes to decode a base64-encoded string to run a command (ioreg) that retrieves the system's UUID (Universal Unique Identifier). The malicious setup.py fileThe malicious setup.py file Source: Phylum The UUID is used to validate that the package is being installed on the actual target, comparing it to a predefined UUID. When there's a match, the Go binary inside the PNG file is read and extracted from a specific portion at the file's offset. The Sliver binary is written to a local file with modified file permissions to make it executable and is eventually launched in the background. Following Phylum's report of requests-darwin-lite to the PyPI team, the package has been removed. The malicious versions were 2.27.1 and 2.27.2, while the subsequent 2.28.0 and 2.28.1 were missing the malicious modifications and installation hook. Phylum hypothesizes that this was a highly targeted attack, especially when considering the UUID check, so the threat actors likely returned the package to a benign state to avoid drawing unwanted attention. Last month, researchers reported on a malicious campaign called SteganoAmor that conceals malicious code inside images using steganography to deliver various malware tools onto targeted systems. This campaign was widespread, with over 320 attacks targeting various sectors and countries. Related Articles: PyPI suspends new user registration to block malware campaign Hackers poison source code from largest Discord bot platform Oracle warns that macOS 14.4 update breaks Java on Apple CPUs Apple backports fix for RTKit iOS zero-day to older iPhones New SteganoAmor attacks use steganography to target 320 orgs globally * Apple * macOS * PyPI * Python * Sliver * Steganography * * * * * Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. * Previous Article Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Mandiant mWise Conference 2024 Popular Stories * CISA CISA: Black Basta ransomware breached over 500 orgs worldwide * Europol Europol confirms web portal breach, says no operational data stolen Follow us: * * * * * Main Sections * News * VPN Buyer Guides * SysAdmin Software Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT