Home » Python malware is using a devious new technique

Python malware is using a devious new technique

0 comment

Threat actors building Python malware are getting better, and their payloads harder to detect, researchers have claimed.

Analyzing a recently-detected malicious payload, JFrog reported how the attackers used a new technique – anti-debugging code – to make it harder for researchers to analyze the payloads and understand the logic behind the code. 

In addition to “regular” obfuscation tools and techniques, the hackers behind the “cookiezlog” package used anti-debugging code as a way to thwart dynamic analysis tools.
First time

According to JFrog, this is the first time such a method was spotted in any PyPI malware.

“Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques,” the researchers explain in a blog post.

“Use of these techniques makes the package extremely suspicious, but it does prevent novice researchers from understanding the exact operation of the malware using static analysis tools. However – any dynamic analysis tool, such as a malware sandbox, quickly removes the malware’s static protection layers and reveals the underlying logic.”

Read more

> Malicious PyPi packages turn Discord into password-stealing malware> This random image is spreading a malicious PyPl package using GitHub> These are the best Python online courses

The hackers’ efforts seem futile, as JFrog’s researchers managed to work around the workarounds and peek right into the payload. Following an analysis, the researchers described the payload as “disappointingly simple” compared to the effort made to keep it hidden. It’s still harmful though, as cookiezlog is a password grabber capable of stealing “autocomplete” passwords saved in data caches of popular browsers.

The intelligence gathered is then sent to the attackers via a Discord hook that acts as a command & control server.

Unfortunately, JFrog did not reveal the name of the group behind the malware, or the distribution techniques used to land the password grabber onto the victims’ endpoints. Regardless, news of PyPI malware is more frequent, suggesting that Python developers have become a major target. 

Check out the best endpoint protection right now

Source: Read More

You may also like

Leave a Comment


Cybernonstop is created to bring news and knowledge through articles to visitors.

Do not forget to subscribe.

Laest News

@2021 – All Right Reserved. Designed and Developed by PenciDesign