MacOS devices are being targeted with PyPI backdoor to sneak into corporate networks

A seemingly benign PyPI package is hiding dangerous malware in a large PNG file targeting macOS devices.

May 14, 2024 - 22:30
 0  16
MacOS devices are being targeted with PyPI backdoor to sneak into corporate networks

Security researchers have spotted a new campaign seeking to gain access to corporate networks by targeting macOS devices and employing impersonation/typosquatting on PyPI and steganography to compromise the endpoints.

Researcjers from Phylum, which first observed the attack, unnamed threat actors created what seems to be a fork of the “requests” library on the Python Package Index (PyPI). 

PyPI is by far the world’s most popular Python open source code repository, and is often used as a vehicle for malware deployment and distribution.

Malicious intent

The library is named requests-darwin-lite and is presented as a harmless fork of the “requests” library. It comes with a 17MB PNG image that features the Requests logo. However, that image also hides the code for the Sliver C2 adversary network. 

When the victims download and run the package, Sliver is installed and starts running in the background. Similar to Cobalt Strike, Sliver is a cross-platform open-source adversarial framework testing suite used for “read teaming” - a process of simulating cyber attacks. IT teams often use read teaming as a way to test the strength of their cyberdefenses, but is being increasingly abused by criminals in recent years.

Sliver’s main attributes are custom implant generation, C2 ability, post-exploitation tools and scripts, and more.

Usually, hackers will opt for Cobalt Strike, but this adversary simulation tool has been abused and compromised to such an extent that IT teams have gotten significantly better at detecting and blocking malicious activity.

After making the discovery, Phylum reported its findings to the PyPI administration team, which removed the malicious package from the platform. The researchers believe this was a highly targeted attack, but the targets remain unknown, as well as the identity of the attackers. 

Via BleepingComputer

More from TechRadar Pro