Threat actors building Python malware are getting better and their payloads are harder to detect, researchers claim.
By analyzing recently detected malicious payloads, JFrog reports how attackers are using a new technique — anti-debugging code — to make it harder for researchers to analyze the payload and understand the logic behind the code.
In addition to “regular” obfuscation tools and techniques, hackers behind the “cookiezlog” package also use anti-debugging code to thwart dynamic analysis tools.
the first time
According to JFrog, this is the first time this method has been seen in any PyPI malware.
“Most PyPI malware today tries to avoid static detection using a variety of techniques: from primitive variable mangling to sophisticated code flattening and steganography techniques,” the researchers explained in a report. blog post (opens in a new tab).
“The use of these techniques makes the package very suspicious, but it does prevent novice researchers from using static analysis tools to understand the exact operation of the malware. However, any dynamic analysis tool, such as a malware sandbox, can quickly remove the malware static layer of protection and reveal the underlying logic.”
The hackers’ efforts appeared to be in vain, as JFrog researchers managed to bypass the workaround and peek directly at the payload. After analysis, the researchers described the payload as “disappointingly simple” compared to efforts to conceal it. Still, it’s harmful because cookiezlog is a password grabber capable of stealing “autocomplete” passwords kept in the data cache of popular browsers.
The collected intelligence is then sent to the attackers via a Discord hook that acts as a command and control server.
Unfortunately, JFrog did not disclose the name of the organization behind the malware, nor the distribution technique used to land the password grabber on victim endpoints. Regardless, news of the PyPI malware has become more frequent, suggesting that Python developers have become prime targets.