Threat actors building Python malware are getting better, and their payloads harder to detect, researchers have claimed.
Analyzing a recently-detected malicious payload, JFrog reported how the attackers used a new technique – anti-debugging code – to make it harder for researchers to analyze the payloads and understand the logic behind the code.
In addition to “regular” obfuscation tools and techniques, the hackers behind the “cookiezlog” package used anti-debugging code as a way to thwart dynamic analysis tools.
First time
According to JFrog, this is the first time such a method was spotted in any PyPI malware.
“Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques,” the researchers explain in a blog post (opens in new tab).
“Use of these techniques makes the package extremely suspicious, but it does prevent novice researchers from understanding the exact operation of the malware using static analysis tools. However – any dynamic analysis tool, such as a malware sandbox, quickly removes the malware’s static protection layers and reveals the underlying logic.”
The hackers’ efforts seem futile, as JFrog’s researchers managed to work around the workarounds and peek right into the payload. Following an analysis, the researchers described the payload as “disappointingly simple” compared to the effort made to keep it hidden. It’s still harmful though, as cookiezlog is a password grabber capable of stealing “autocomplete” passwords saved in data caches of popular browsers.
The intelligence gathered is then sent to the attackers via a Discord hook that acts as a command & control server.
Unfortunately, JFrog did not reveal the name of the group behind the malware, or the distribution techniques used to land the password grabber onto the victims’ endpoints. Regardless, news of PyPI malware is more frequent, suggesting that Python developers have become a major target.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba