Threat actors often upload malicious packages in the PyPI repository platform to distribute information-stealing malware. Recently, experts found a malicious package, named onyxproxy, that leveraged Unicode support in Python to obfuscate an info-stealing malware.

Usage of Unicode

Phylum researchers found that a threat actor had used a combination of different Unicode fonts in the source code to evade detection.
  • The package’s setup[.]py contained thousands of similar yet suspicious code strings that use a mix of Unicode characters.
  • These code strings appear normal to the readers, however, Python interpreter handlers parse and recognize these characters differently, and thus, process the malicious intent hidden behind them.
  • For instance, there are five possible alternatives for writing the single alphabet n, and 19 for the alphabet s. The word __import__ (commonly used in programming) can be written in over one billion different alternatives, which can easily bypass any static pattern matching-based security scan.

How bad is it?

The threat actor published onyxproxy on the platform on March 15 and it amassed 183 downloads before its removal on March 22.
  • The identifiers such as __import__, subprocess, and CryptUnprotectData are usual programming constructs, which would raise red flags for suspicious activity. 
  • However, their equivalent Unicode alternatives could easily bypass the defenses that operate on string-matching-based scans. 
  • By exploiting this fact, threat actors created an astronomical number of identifier variants for the same code that easily bypassed defenses designed around string matching.
  • Additionally, they harvested and exfiltrated developers' account credentials and other sensitive data from compromised devices using the malicious package.

Final words

According to researchers, the threat actor merely copy-pasted the code from various places and intermixed it with malicious code. However, this tactic of abusing Unicode support in Python has proven viable and may attract the attention of other sophisticated attackers soon.
Cyware Publisher

Publisher

Cyware