A new Python info-stealing malware is using Unicode to stay undetected

Cybersecurity researchers from Phylum have found a new form of malware in a PyPI package that was using Unicode to hide. Unicode is a glo...

Cybersecurity researchers from Phylum have found a new form of malware in a PyPI package that was using Unicode to hide.

Unicode is a global encoding standard used for different languages and scripts, covering more than 100,000 characters, whose goal is to simplify and streamline how characters are viewed in electronic and digital devices. With Unicode, every letter, digit, and symbol, get a unique numeric value, that stays the same, regardless of the program or platform in use.

The malware is called “onyxproxy”, it is an infostealer on the hunt for developer login credentials and authentication tokens. It was available on PyPI for a week, before being shut down, and during that time, it managed to get 183 downloads, meaning that up to 183 different developers are at risk of credential and identity theft.

Hiding in plain sight

The malware carries a package called “setup.py” which, according to the researchers, has “thousands” of suspicious code strings which use a combination of Unicode characters. 

Observed on the surface, the characters look normal and benign - however, what the human eye sees, and what the program sees, are two vastly different things.

In onyxproxy, there are three critical identifiers: “__import__”, “subprocees”, and “CryptoUnprotectData”. These have a large number of variants, which makes them ideal for beating string-matching-based defenses, the researchers explain. 

While the technique might sound complicated, the researchers claim it isn’t exactly sophisticated. However, should the abuse of Unicode for hiding malicious Python code become a trend, it might become cause for concern.

"But, whomever this author copied this obfuscated code from is clever enough to know how to use the internals of the Python interpreter to generate a novel kind of obfuscated code, a kind that is somewhat readable without divulging too much of exactly what the code is trying to steal," concludes Phylum.

  • Here are the best malware removal tools right now

Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/dxE3Mi2
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,183,Video,5,XIAOMI,13,YouTube - 9to5Google,182,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: A new Python info-stealing malware is using Unicode to stay undetected
A new Python info-stealing malware is using Unicode to stay undetected
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2023/03/a-new-python-info-stealing-malware-is.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2023/03/a-new-python-info-stealing-malware-is.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy