March 24, 2023Rabbi LakshmananDevSecOps / Software Security

A malicious Python package in the Python Package Index (PyPI) repository was found to use Unicode as a trick to evade detection and deploy information-stealing malware.

The package in question, named onyx proxywas uploaded to PyPI on March 15, 2023, with the ability to collect and extract credentials and other valuable data.It has since been removed, but in total 183 Downloads.

According to software supply chain security firm Phylum, the package incorporates malicious behavior into a setup script stuffed with thousands of seemingly legitimate code strings.

These strings have a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, but only to activate the execution of the stealer malware when the package is installed.

“The obvious and direct benefit of this strange scheme is readability,” the company said. I got it“Furthermore, these visible differences do not prevent code execution.”

This is the same character (alias homoglyph) camouflages its true colors (e.g. self vs. 𝘀𝘦𝘭𝘧) among innocuous-looking functions and variables.

The use of Unicode to inject vulnerabilities into source code was previously uncovered by University of Cambridge researchers Nicholas Boucher and Ross Anderson in an attack technique called Trojan Source.

What this method lacks in sophistication, it makes up for in creating new obfuscated code, even though it shows obvious signs of copy-and-paste efforts from other sources. increase.

webinar

Discover the hidden dangers of third-party SaaS apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.

reserve a seat

This development is an ongoing effort by some attackers to find new ways to evade string-matching-based defenses by exploiting “the way the Python interpreter handles Unicode to obfuscate malware.” I am highlighting the attempt.

Relatedly, Canadian cybersecurity company PyUp Detailed Three new fraudulent Python packages (aiotoolbox, asyncio-proxy, pycolorz) have been discovered. These have been downloaded over 1,000 times in total and are designed to retrieve obfuscated code from remote servers.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog