供应链警报:Sipeed 官方 COMTools 软件被标记为木马
3 分•作者: dripmet•7 个月前
Sipeed 是一家中国硬件制造商,以嵌入式 AI 系统、RISC-V 开发板和边缘计算模块(K210 AI 加速器、MaixSense ToF 摄像头、LicheeRV 开发板)而闻名。他们在创客和嵌入式系统社区中享有盛誉。
我从他们的分发服务器 dl.sipeed.com(官方文档中提供的链接)直接下载了他们的官方 COMTools 实用程序(用于设备配置的串口通信工具)。
多个安全扫描程序将其标记为特洛伊木马恶意软件:
VirusTotal:https://www.virustotal.com/gui/file/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/detection
Hybrid Analysis:https://hybrid-analysis.com/sample/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/690e6b0ff38090310e09c79d
比检测结果更令人担忧的是观察到的行为:
* 随机生成 cmd.exe 进程
* 持续的后台活动
* 离线病毒扫描后触发 BitLocker 恢复
* 可疑的网络连接
这超出了某些中国开发工具中常见的误报行为(这些工具有时缺乏适当的代码签名或使用激进的系统访问权限)。
有两种可能性:
1. 供应链受损 - 他们的 dl.sipeed.com 服务器正在提供修改后的二进制文件
2. 激进的误报(考虑到行为指标,似乎不太可能)
我目前正在比较网站版本和他们 GitHub 发布的 SHA256 哈希值,以确定是否存在差异。
如果这是一次供应链攻击,它可能会影响嵌入式系统开发社区的很大一部分,特别是那些使用 AI 边缘设备和 RISC-V 系统的开发者。
我已经向 Sipeed、微软安全部门和各种安全研究人员报告了此事。HN 社区中是否有人使用过 Sipeed 产品,并且可以验证他们的 COMTools 安装?
被标记文件的 SHA256 值:66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8
官方(可能已受损)来源:https://dl.sipeed.com/shareURL/MaixSense/MaixSense\_A010/software\_pack/comtool
查看原文
Sipeed is a Chinese hardware manufacturer known for embedded AI systems, RISC-V development boards, and edge computing modules (K210 AI accelerators, MaixSense ToF cameras, LicheeRV boards). They're fairly established in the maker and embedded systems community.<p>I downloaded their official COMTools utility (serial communication tool for device configuration) directly from their distribution server at dl.sipeed.com - the link provided in their official documentation.<p>Multiple security scanners are flagging it as trojan malware:<p>VirusTotal: https://www.virustotal.com/gui/file/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/detection<p>Hybrid Analysis: https://hybrid-analysis.com/sample/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/690e6b0ff38090310e09c79d<p>More concerning than the detections is the observed behavior:
- Random cmd.exe processes spawning periodically
- Persistent background activity
- BitLocker recovery triggered after offline virus scan
- Suspicious network connections<p>This goes beyond typical false-positive behavior seen with some Chinese development tools (which sometimes lack proper code signing or use aggressive system access).<p>Two possibilities:
1. Supply chain compromise - their dl.sipeed.com server is serving modified binaries
2. Aggressive false positive (seems less likely given the behavioral indicators)<p>I'm currently comparing SHA256 hashes between the website version and their GitHub releases to determine if there's a discrepancy.<p>If this is a supply chain attack, it could affect a significant portion of the embedded systems development community, particularly those working with AI edge devices and RISC-V systems.<p>I've reported to Sipeed, Microsoft Security, and various security researchers. Has anyone else in the HN community used Sipeed products and can verify their COMTools installation?<p>SHA256 of flagged file: 66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8
Official (potentially compromised) source: https://dl.sipeed.com/shareURL/MaixSense/MaixSense_A010/software_pack/comtool