Security researchers at ReversingLabs have discovered a new attack that uses compiled Python code to evade detection.
According to Carlo Zanchi, reverse engineer at ReversingLabs, this may be the first example of a supply chain attack leveraging the ability to directly execute Python byte code (PYC) files.
This method introduces another supply chain vulnerability in the future, as most security tools only scan Python source code (PY) files and may miss such attacks. Zanki said this coincided with an increase in harmful submissions to the Python Package Index (PyPI).
Read more about malicious PyPI packages: Researchers find 7000 malicious open source packages
ReversingLabs also reported the discovered package fshec2 to the PyPI security team, which confirmed that it was a never-before-seen attack and said it had removed it from the PyPI repository the same day.
“This is a compelling new variation on the more common supply chain attack, where attackers drop malicious libraries into public repositories,” explained Mike Parkin, senior technical engineer at Vulcan Cyber. increase.
“Some techniques are utilized to help circumvent existing security tools, but may cause problems until tools are updated to handle compiled Python code.”
In fact, the attackers used their own loading technique using the Importlib module to evade detection.
“This obfuscation technique allows compiled code to pass through security scanners. Catching this kind of code requires static analysis of the source code, which is compiled This makes it difficult, if not impossible,” commented Timothy Morris, Chief Security Advisor at Tanium.
The malware had a command and control (C2) infrastructure that could evolve by downloading new commands from remote servers.
The ReversingLabs team also found a misconfiguration of the attacker’s web host, providing insight into the functionality of the malware. The attack infected at least two targets and collected usernames, hostnames and directory listings, according to the company’s advisory.
“The novelty of the PyPi malware identified by ReversingLabs is reminiscent of some of the hallmarks of DLL hijacking: essentially malicious code can be loaded by trusted applications.” said Andrew Barratt, Vice President of Coalfire.
“The problem is that some attackers are intentionally targeting code repositories using these techniques, clearly aiming for a mass deployment vector that feels like a precursor to a ransomware campaign. .”
ReversingLabs’ discovery comes a few weeks after Cyble revealed another malicious PyPI with information-stealing capabilities.
Editorial image credit: Trismegist / Shutterstock.com
