Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data

Mar 24, 2023Ravie LakshmananDevSecOps / Software Security

A malicious Python package on the Python Package Index (PyPI)
repository has been found to use Unicode as a trick to evade
detection and deploy an info-stealing malware.

The package in question, named onyxproxy[1], was uploaded to PyPI on
March 15, 2023, and comes with capabilities to harvest and
exfiltrate credentials and other valuable data. It has since been
taken down, but not before attracting a total of 183
downloads[2].

According to software supply chain security firm Phylum, the
package incorporates its malicious behavior in a setup script
that’s packed with thousands of seemingly legitimate code
strings.

These strings include a mix of bold and italic fonts and are
still readable and can be parsed by the Python interpreter, only to
activate the execution of the stealer malware upon installation of
the package.

“An obvious and immediate benefit of this strange scheme is
readability,” the company noted[3]. “Moreover, these
visible differences do not prevent the code from running, which it
does.”

This is made possible owing to the use of Unicode variants of
what appears to be the same character (aka homoglyphs[4]) to camouflage its true
colors (e.g., self vs. ????) among innocuous-looking functions and
variables.

The use of Unicode to inject vulnerabilities into source code
was previously disclosed by Cambridge University researchers
Nicholas Boucher and Ross Anderson in an attack technique dubbed
Trojan Source[5].

What the method lacks in sophistication, it makes up for it by
creating a novel piece of obfuscated code, despite exhibiting
telltale signs of copy-paste efforts from other sources.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.

RESERVE YOUR
SEAT[6]

The development highlights continued attempts[7]
on part of threat actors to find new ways to slip through
string-matching based defenses, leveraging “how the Python
interpreter handles Unicode to obfuscate their malware.”

On a related note, Canadian cybersecurity company PyUp detailed[8]
the discovery of three new fraudulent Python packages – aiotoolbox,
asyncio-proxy, and pycolorz – that were downloaded cumulatively
over 1,000 times and designed to retrieve obfuscated code from a
remote server.

Found this article interesting? Follow us on Twitter [9]
and LinkedIn[10] to read more exclusive
content we post.

References

  1. ^
    onyxproxy
    (pyup.io)
  2. ^
    183
    downloads     (pepy.tech)
  3. ^
    noted
    (blog.phylum.io)
  4. ^
    homoglyphs
    (en.wikipedia.org)
  5. ^
    Trojan
    Source     (thehackernews.com)
  6. ^
    RESERVE YOUR SEAT
    (thn.news)
  7. ^
    continued attempts
    (thehackernews.com)
  8. ^
    detailed
    (pyup.io)
  9. ^
    Twitter
     (twitter.com)
  10. ^
    LinkedIn
    (www.linkedin.com)

Read more