Hackers Deliver Malicious GO Binary Files in PyPI Via Steganography

A malicious Python package called requests-darwin-lite was found on PyPI, masquerading as a variant of the popular requests library but including a hidden Go binary, which is concealed within an abnormally large version of the expected requests logo embedded in the package. 

The attackers exploited the cmdclass attribute in the setup.py file, typically used for customizing test execution in requests, to deliver the malicious code. 

The legitimate requests package uses the cmdclass attribute in its setup.py file to configure custom test runners, just as the malicious requests-darwin-lite package also uses the cmdclass attribute, but for a malicious purpose. 

It defines a custom install class that checks the platform and executes a shell command if the platform is Darwin (macOS). 

The shell command retrieves a UUID and checks it against a hardcoded value, and if the UUIDs match, the malicious code extracts a portion of a file from the docs/_static/requests-sidebar-large.png file, writes it to a new file named output in a temporary directory, and makes the new file executable, suggesting that the malicious code is trying to install a backdoor on the system.

An attacker modified a Python package to target macOS systems during installation, as the attacker’s code, hidden within the PyInstall class, decodes a base64 string into a command that retrieves the system’s UUID. 

If the UUID doesn’t match a predetermined value, the code halts, suggesting a highly targeted attack where the attacker already knows the target system’s UUID, while it could be a self-inflicted test of the malware deployment mechanism. If the correct UUID is found, the code extracts data from a specific image file. 

The requests project logo

Researchers at Phylum discovered a malicious Python package named “requests-darwin-lite” masquerading as the legitimate “requests” library containing a hidden Golang-based malware framework within an unusually large PNG image (17MB) named “requests-sidebar-large.png”. 

Although the filename suggests it’s a logo, it’s significantly bigger than the real “requests” library logo (300 kB), as this discrepancy and the file type identification using the “file” command helped identify the malicious content hidden within the image.  

Running file 

Attackers hid a malicious Go binary executable inside a PNG file by appending it to the file’s binary data at a specific offset, leveraging the fact that the extra data doesn’t alter the image itself. 

After reading the PNG file as binary data, the attacker extracts the appended portion, writes it as a separate executable file, and silently executes it, which has been identified as OSX/Silver, a C2 framework similar to Cobalt Strike but with lower detection due to its lesser-known status. 

The modified install hook from requests-darwin-lite’s later versions

A malicious package named “requests-darwin-lite” appeared on PyPI, as the first two versions contained a hidden binary inside a PNG image and a malicious install hook.

Later versions (2.28.0 and 2.28.1) kept the install hook but removed the malicious code. Version 2.28.0 still shipped with the hidden binary, but it wasn’t executed, and finally, version 2.28.1 removed both the malicious code and the hidden binary.

Also Read: Downloading content from #GitHub or #GitLab make you vulnerable To Malware Attack

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here