A malicious Python package in the Python Package Index (PyPI) repository was found to use Unicode as a trick to evade detection and deploy information-stealing malware.
The package in question, named onyxproxy, was uploaded to PyPI on March 15th, 2023 and has the ability to collect and extract credentials and other valuable data. It has since been removed, but has yet to reach a total of 183 downloads.
According to software supply chain security firm Phylum, the package incorporates malicious behavior into a setup script stuffed with thousands of seemingly legitimate code strings.
These strings have a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, but only to activate the execution of the stealer malware when the package is installed.
“The obvious and direct benefit of this strange scheme is readability,” the company said. “Furthermore, these visible differences do not prevent the code from running.”
This is made possible by using Unicode variants (aka homoglyphs) of what look like the same character to camouflage its native colors (e.g. self and 𝘀𝘦𝘭𝘧) among harmless-looking functions and variables. .
The use of Unicode to inject vulnerabilities into source code was previously uncovered by University of Cambridge researchers Nicholas Boucher and Ross Anderson in an attack technique called Trojan Source.
What this method lacks in sophistication, it makes up for in creating new obfuscated code, even though it shows obvious signs of copy-and-paste efforts from other sources. increase.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
This development is an ongoing effort by some attackers to find new ways to evade string-matching-based defenses by exploiting “the way the Python interpreter handles Unicode to obfuscate malware.” I am highlighting the attempt.
In a related note, Canadian cybersecurity firm PyUp detailed its discovery of three new rogue Python packages: aiotoolbox, asyncio-proxy, and pycolorz. These have been downloaded over 1,000 times in total and are designed to retrieve obfuscated code from remote servers.
