- 오디오에서 추론→음성 생성→실시간 소통···구글, “대화가 AI와 소통하는 핵심적인 방법될 것”
- AI의 ROI : 과대포장보다 실질적인 효과가 중요한 이유
- Apple doesn't need better AI as much as AI needs Apple to bring its A-game
- I tested a Pixel Tablet without any Google apps, and it's more private than even my iPad
- My search for the best MacBook docking station is over. This one can power it all
Malicious PyPI Packages Use Compiled Python Code to Bypass Detection
Security researchers at ReversingLabs have discovered a novel attack that used compiled Python code to evade detection.
According to ReversingLabs reverse engineer Karlo Zanki, this could be the first instance of a supply chain attack capitalizing on the direct execution capability of Python byte code (PYC) files.
The method introduces another supply chain vulnerability for the future, as most security tools solely scan Python source code (PY) files, making them susceptible to missing such attacks. Zanki said it coincides with an increase in harmful submissions to the Python Package Index (PyPI).
Read more on malicious PyPI packages: Researchers Uncover 7000 Malicious Open Source Packages
ReversingLabs also said it reported the discovered package, fshec2, to the PyPI security team, who acknowledged that it was a previously unseen attack and removed it from the PyPI repository the same day.
“This is a fascinating new variation of the more common supply chain attack, where a threat actor drops a malicious library into a public repository,” explained Mike Parkin, Senior Technical Engineer at Vulcan Cyber.
“It’s utilizing some techniques that will help it evade existing security tools, which may be problematic until the tools are updated to handle compiled Python code.”
In fact, the attackers used a unique loading technique that employed the Importlib module to avoid detection.
“This obfuscation technique allows the compiled code to get past security scanners. Catching this type of code requires static analysis of the source code, which is difficult, if not impossible, because it is compiled,” commented Timothy Morris, chief security advisor at Tanium.
The malware then had a command-and-control (C2) infrastructure that allowed it to evolve by downloading new commands from a remote server.
The ReversingLabs team also found misconfigurations in the attacker’s web host, which provided insights into the malware’s capabilities. According to the company’s advisory, the attack infected at least two targets, harvesting usernames, hostnames and directory listings.
“The novelty of the PyPi malware that ReversingLabs identified reminds me of some of the characteristics of a DLL hijack – essentially where rogue code can be loaded by a trusted application,” said Andrew Barratt, vice president at Coalfire.
“The troubling part is that we’ve got attackers deliberately targeting code repositories with these techniques clearly looking for a mass deployment vector which starts to feel like the precursor to a ransomware campaign.”
The ReversingLabs discovery comes weeks after Cyble shed light on a separate malicious PyPI with information-stealing capabilities.
Editorial image credit: Trismegist san / Shutterstock.com
