Python package found to use Unicode

Evasion and stealth on peak: Python package found to use Unicode

2 Mins Read

PUREVPNNewsEvasion and stealth on peak: Python package found to use Unicode

A malicious Python package on the Python Package Index (PyPI) repository has been found to use Unicode as a trick to evade detection and deploy info-stealing malware.

The package in question, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and exfiltrate credentials and other valuable data. It has since been taken down, but not before attracting a total of 183 downloads.

According to software supply chain security firm Phylum, the package incorporates its malicious behavior in a setup script that’s packed with thousands of seemingly legitimate code strings.

“One might dismiss this as a developer trying to show how clever they can be, except that this package is trying to steal and exfiltrate things immediately upon installation. The most plausible remaining explanation for this behavior is that this will evade defenses designed around string matching.”

These strings include a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, only to activate the execution of the stealer malware upon installation of the package.

Phylum’s way of conceiving the attack

  • The author of onyxproxy lacks sophistication and has simply copied and pasted code from various sources and combined them.
  • The obfuscation technique used is not present in other parts of the code in setup.py.
  • Multiple Python modules are imported numerous times, for instance, ‘os’ is imported nine times.
  • The original author of the obfuscated code seems to have a good understanding of how to utilize the Python interpreter’s internals to produce a new form of obscured code.
  • The new form of obfuscated code is somewhat legible without revealing precisely what the code is attempting to pilfer.

Phylum will closely monitor this novelty as it has been successful in the wild, and it is anticipated that others will attempt to copy and enhance their efforts to target developers.

“An obvious and immediate benefit of this strange scheme is readability. Moreover, these visible differences do not prevent the code from running, which it does.”

Concluding remarks

While this time the base of the attack seems weak, new fraudulent Python packages are taking action to retrieve obfuscated code from a remote server. So beware and know more!

author

PureVPN

date

March 27, 2023

time

3 years ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Microsoft Phases Out 1024-bit RSA Keys for Enhanced Windows Security

Microsoft Phases Out 1024-bit RSA Keys for Enhanced Windows Security
Posted on March 19, 2024
Cyberattack Compromises International Monetary Fund (IMF) Email Accounts

Cyberattack Compromises International Monetary Fund (IMF) Email Accounts
Posted on March 18, 2024
Cybercriminals Target Aiohttp Flaw to Find At-Risk Networks

Cybercriminals Target Aiohttp Flaw to Find At-Risk Networks
Posted on March 18, 2024

Have Your Say!!