SentinelSneak: Malicious PyPI module poses as security software development kit

MITRE Techniques

• [T1059.006] Python – The package uses Python code and is triggered when called programmatically. Quote: “the malicious functionality in the library does not execute upon installation, but waits to be called on programmatically before activating.”
• [T1195] Supply Chain – Typosquatting and impersonation of a popular vendor to push malicious code. Quote: “typosquatting, with many of the malicious packages using naming that was similar to popular npm packages…”
• [T1036] Masquerading – Impersonation of SentinelOne as a legitimate SDK. Quote: “The SentinelOne PyPI package we discovered has no connection to SentinelOne, the respected cybersecurity firm…”
• [T1083] File and Directory Discovery – Enumeration of files and directory contents, plus root directory listing. Quote: “enumeration of files in a given directory, deleting of a file/directory and creation of a new process.”
• [T1041] Exfiltration Over C2 Channel – Data exfiltration to a remote command-and-control server. Quote: “The data is then exfiltrated to the command and control (C2) server.”
• [T1071.001] Web Protocols – Use of HTTP/S with IP-referenced hosts in URLs. Quote: “presence of URLs that reference the host by IP address…”
• [T1552.001] Credentials in Files – Exfiltration targets including SSH keys and secrets stored under .ssh. Quote: “contents of the .ssh folder containing ssh keys and configuration information, including access credentials and secrets, related to git, kubernetes and AWS services.”
• [T1027] Obfuscated/Hidden Content – Hidden or obfuscated functionality in the malicious code. Quote: “hidden (obfuscated) functionality…”