Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Malicious PyPI Packages Using Compiled Python Code to Bypass Detection

    justmattgBy justmattgJune 1, 2023No Comments3 Mins Read

    [ad_1]

    Jun 01, 2023Ravie LakshmananProgramming / Supply Chain

    Malicious PyPI Packages

    Researchers have discovered a novel attack on the Python Package Index (PyPI) repository that employs compiled Python code to sidestep detection by application security tools.

    “It may be the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files can be directly executed,” ReversingLabs analyst Karlo Zanki said in a report shared with The Hacker News.

    The package in question is fshec2, which was removed from the package registry on April 17, 2023, following responsible disclosure on the same day.

    PYC files are compiled bytecode files that are generated by the Python interpreter when a Python program is executed.

    “When a module is imported for the first time (or when the source file has changed since the current compiled file was created) a .pyc file containing the compiled code should be created in a __pycache__ subdirectory of the directory containing the .py file,” explains the Python documentation.

    The package, per the software supply chain security firm, contains three files – _init_.py, main.py, and full.pyc – the last of which harbors malicious functionality.

    “The entry point of the package was found in the __init__.py file, which imports a function from the other plaintext file, main.py, which contains Python source code responsible for loading of the Python compiled module located in one of the other files, full.pyc,” Zanki pointed out.

    Malicious PyPI Packages

    This, in turn, is achieved by making use of the importlib package (as opposed to a regular import) to load and execute the code present in the .pyc file.

    An analysis of the reverse-engineered version of the PYC file reveals that it’s configured to collect usernames, hostnames, and directory listings, as well as fetch commands to be executed on the host from a hard-coded server (13.51.44[.]246).

    UPCOMING WEBINAR

    🔐 Mastering API Security: Understanding Your True Attack Surface

    Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

    Join the Session

    ReversingLabs said it also observed the module download and run another Python script that’s responsible for fetching new commands placed within a file that can be tweaked at will by the threat actor to issue different instructions.

    Further examination of the command-and-control server unearthed a misconfiguration that made it possible to download files by their ID, which are numbered in sequential order (starting from 1), sans any authorization. This indicates that the attack was most likely not orchestrated by a sophisticated actor.

    The development is a continuation of efforts on the part of threat actors to adopt different obfuscation techniques in order to evade detection from security solutions.

    “Loader scripts such as those discovered in the fshec2 package contain a minimal amount of Python code and perform a simple action: loading of a compiled Python module,” Zanki said. “It just happens to be a malicious module.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticleCybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining
    Next Article Sensory fast-tracks accurate custom voice UIs using ChatGPT generative AI
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑