A malicious Python package in the Python Package Index (PyPI) repository was found to use Unicode as a trick to evade detection and deploy information-stealing malware.
The package in question, named onyx proxywas uploaded to PyPI on March 15, 2023, with the ability to collect and extract credentials and other valuable data.It has since been removed, but in total 183 Downloads.
According to software supply chain security firm Phylum, the package incorporates malicious behavior into a setup script stuffed with thousands of seemingly legitimate code strings.
These strings have a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, but only to activate the execution of the stealer malware when the package is installed.
“The obvious and direct benefit of this strange scheme is readability,” the company said. I got it“Furthermore, these visible differences do not prevent code execution.”
This is the same character (alias homoglyph) camouflages its true colors (e.g. self vs. ๐๐ฆ๐ญ๐ง) among innocuous-looking functions and variables.
The use of Unicode to inject vulnerabilities into source code was previously uncovered by University of Cambridge researchers Nicholas Boucher and Ross Anderson in an attack technique called Trojan Source.
What this method lacks in sophistication, it makes up for in creating new obfuscated code, even though it shows obvious signs of copy-and-paste efforts from other sources. increase.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
This development is an ongoing effort by some attackers to find new ways to evade string-matching-based defenses by exploiting “the way the Python interpreter handles Unicode to obfuscate malware.” I am highlighting the attempt.
Relatedly, Canadian cybersecurity company PyUp Detailed Three new fraudulent Python packages (aiotoolbox, asyncio-proxy, pycolorz) have been discovered. These have been downloaded over 1,000 times in total and are designed to retrieve obfuscated code from remote servers.
