Phylum cybersecurity researchers discovered a new form of malware in a PyPI package that was hidden using Unicode.
Unicode is a global encoding standard used for many languages and scripts, covering over 100,000 characters, and intended to simplify and streamline how characters are displayed on electronic and digital devices. is. With Unicode, you get unique numbers where all letters, digits, and symbols remain the same, regardless of the program or platform in use.
The malware, dubbed “onyxproxy,” is an infostealer that targets developer login credentials and authentication tokens. It was available on PyPI for a week before being shut down. During that time, 183 downloads were made. This means that up to 183 different developers are at risk of credential or identity theft.
hidden in plain sight
The malware carries a package called ‘setup.py’ which, according to the researchers, contains ‘thousands’ of suspicious code strings using Unicode character combinations.
On the surface, the characters look normal and harmless, but what the human eye sees is very different from what the program sees.
onyxproxy has three important identifiers: “__import__”, “subprocees”, and “CryptoUnprotectData”. These have numerous variants and are ideal for defeating string-matching based defenses, the researchers explained.
While this technique may sound complicated, researchers argue that it’s not exactly elegant, though it does require exploiting Unicode to hide malicious Python. (opens in new tab) If the code becomes trendy, it can become a cause for concern.
“But whoever this author copied this obfuscated code was smart enough to know how to use the internals of the Python interpreter to generate new kinds of obfuscated code. , is kind of readable to some extent without revealing too much what the code is trying to steal,” concludes Phylum.
Here are the best malware removal tools at the moment Via: BleepingComputer (opens in new tab)
