Researchers have discovered a new attack against the Python Package Index (PyPI) repository that uses compiled Python code to evade detection by application security tools.
“This may be the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files can be directly executed,” ReversingLabs analyst Carlo Zanchi said in a report shared with The Hacker News. ‘ said.
The package in question is fshec2was removed from the package registry on April 17, 2023, following responsible disclosure on the same day.
A PYC file is a compiled bytecode file produced by the Python interpreter when running a Python program.
“When a module is imported for the first time (or when the source file is changed since the current compiled file was created), the .pyc file containing the compiled code is placed in the __pycache__ sub of the directory containing the .py file. should be created in the directory.” explains the Python documentation.
According to a software supply chain security company, the package contains three files (_init_.py, main.py, full.pyc), the last of which contains malicious functionality.
“The entry point for the package was found in the __init__.py file. This file imports functions from another plaintext file main.py. This file contains the Python compilation found in one of the other files. It contains the Python source code responsible for loading the pre-loaded modules, “full.pyc,” Zanki noted.
This is achieved by utilizing the importlib package (as opposed to regular imports) to load and execute code residing in .pyc files.
Analysis of the reverse-engineered version of the PYC file reveals that this file not only collects usernames, hostnames, and a list of directories, but also commands to be executed on the host from a hard-coded server (13.51.44). It becomes clear that it is configured to get[.]246).
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
ReversingLabs also observed that this module downloads and executes another Python script responsible for picking up new commands placed within the file. This script could be arbitrarily tweaked by the threat actor to issue different instructions.
Further investigation of the command and control server revealed a misconfiguration that allowed files to be downloaded by sequentially numbered IDs (starting at 1) without requiring any permissions. This indicates that the attack was likely not orchestrated by a sophisticated attacker.
This development is a continuation of efforts on the part of threat actors to employ various obfuscation techniques to evade detection from security solutions.
“Loader scripts, such as those found in the fshec2 package, contain minimal Python code and perform the simple action of loading compiled Python modules,” Zanki said. “It just happened to be a malicious module.”
