A recently discovered campaign targeting macOS devices with the Sliver C2 adversary framework has raised concerns among cybersecurity experts. The attackers utilized a malicious PyPI package mimicking the popular ‘requests’ library to covertly install the Sliver payload on the target through steganography in a PNG image file. This discovery underscores the growing trend of threat actors using sophisticated tools like Sliver for gaining initial access to corporate networks.
The malicious PyPI package, named ‘requests-darwin-lite,’ contained the Sliver binary inside a disguised PNG image file featuring the Requests logo. Upon installation on a macOS system, the package executed a PyInstall class to decode a base64-encoded string and retrieve the system’s UUID (Universal Unique Identifier) using the ioreg command. The UUID was then compared to a predefined value to validate the target before extracting and launching the Sliver binary in the background.
After the discovery of this attack by the cybersecurity researchers at Phylum, the compromised PyPI package was promptly removed. The specific versions of the package (2.27.1 and 2.27.2) contained the malicious modifications, while the subsequent versions (2.28.0 and 2.28.1) were clean. It is believed that the threat actors behind this attack may have reverted the package to a benign state to evade detection, as indicated by the targeted nature of the UUID check.
The use of steganography to conceal malicious code in images for delivering malware tools is not a new tactic. In a previous campaign called SteganoAmor, attackers targeted over 320 organizations globally by embedding malware in images using steganography. This method allows threat actors to evade detection and deliver malicious payloads to unsuspecting victims across various sectors and countries.
Sliver, known for its cross-platform compatibility and advanced features such as custom implant generation, command and control capabilities, and post-exploitation tools, has gained popularity among cybercriminals seeking alternatives to traditional pen-testing frameworks like Cobalt Strike. As highlighted by cybersecurity advisories from authorities like CISA and the FBI, Sliver has become a common tool in the arsenal of hackers targeting corporate networks after exploiting vulnerabilities in popular gateways.
In conclusion, the emergence of campaigns like the one targeting macOS devices with Sliver serves as a reminder of the evolving threat landscape faced by organizations globally. With threat actors increasingly adopting sophisticated tools and techniques, cybersecurity professionals must remain vigilant and proactive in defending against such attacks. Collaboration between security researchers, industry stakeholders, and law enforcement agencies is crucial in mitigating the impact of malicious campaigns and safeguarding critical infrastructures from cyber threats.