Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data


It has been discovered that a malevolent Python program available on the PyPI repository is employing Unicode as a means to avoid being detected while implanting spyware designed to obtain sensitive data.

A program called onyxproxy was added to PyPI on March 15, 2023. This software is able to collect and steal important information, such as passwords. Even though it has been removed, it had been downloaded 183 times before being taken down.

Phylum, a company focused on software supply chain security, has reported that the malicious behavior of a package is hidden within a setup script, which appears to contain numerous legitimate code strings.

The character sequences consist of a combination of bold and italic fonts but can still be easily read and understood by Python's software program. However, upon installing the package, these strings activate the stealer malware.

The company acknowledged that one clear advantage of this unusual plan is improved legibility. Additionally, these visible distinctions do not impede the functionality of the code, as it still operates successfully.

This is achievable by utilizing Unicode versions of a particular symbol, also known as homoglyphs, to disguise its actual identity (for instance self versus 𝘀𝘦𝘭𝘧) amid seemingly harmless variables and functions.

The Trojan Source attack technique, which involves using Unicode to introduce security weaknesses in source code, was uncovered earlier by researchers from Cambridge University named Nicholas Boucher and Ross Anderson.

Although the method is not very refined, it compensates for this by producing a unique and convoluted code, despite showing indications of being copied from other sources.

The paragraph indicates that cyber attackers are persistently trying to evade security measures that rely on string matching, and are now using the Python interpreter's Unicode handling to conceal their malicious software.

Additionally, PyUp, a cybersecurity firm based in Canada, announced the identification of 3 fresh deceitful Python software. These packages, namely aiotoolbox, asyncio-proxy and pycolorz, were collectively downloaded more than 1000 times and were intended to retrieve self-protective code from a distant server.


Post a Comment

Previous Post Next Post