A malicious Python bundle on the Python Bundle Index (PyPI) repository has been discovered to make use of Unicode as a trick to evade detection and deploy an info-stealing malware.
The bundle in query, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to reap and exfiltrate credentials and different worthwhile knowledge. It has since been taken down, however not earlier than attracting a complete of 183 downloads.
In line with software program provide chain safety agency Phylum, the bundle incorporates its malicious habits in a setup script that is full of 1000’s of seemingly reputable code strings.
These strings embrace a mixture of daring and italic fonts and are nonetheless readable and might be parsed by the Python interpreter, solely to activate the execution of the stealer malware upon set up of the bundle.
“An apparent and instant advantage of this unusual scheme is readability,” the corporate noted. “Furthermore, these seen variations don’t stop the code from operating, which it does.”
That is made doable owing to using Unicode variants of what seems to be the identical character (aka homoglyphs) to camouflage its true colours (e.g., self vs. 𝘀𝘦𝘭𝘧) amongst innocuous-looking capabilities and variables.
The usage of Unicode to inject vulnerabilities into supply code was beforehand disclosed by Cambridge College researchers Nicholas Boucher and Ross Anderson in an assault approach dubbed Trojan Supply.
What the strategy lacks in sophistication, it makes up for it by making a novel piece of obfuscated code, regardless of exhibiting telltale indicators of copy-paste efforts from different sources.
The event highlights continued makes an attempt on a part of menace actors to seek out new methods to slide via string-matching primarily based defenses, leveraging “how the Python interpreter handles Unicode to obfuscate their malware.”
On a associated observe, Canadian cybersecurity firm PyUp detailed the invention of three new fraudulent Python packages – aiotoolbox, asyncio-proxy, and pycolorz – that have been downloaded cumulatively over 1,000 occasions and designed to retrieve obfuscated code from a distant server.