Threat actors building Python malware are getting better, and their payloads harder to detect, researchers have claimed.
Analyzing a recently-detected malicious payload, JFrog reported how the attackers used a new technique – anti-debugging code – to make it harder for researchers to analyze the payloads and understand the logic behind the code.
In addition to “regular” obfuscation tools and techniques, the hackers behind the “cookiezlog” package used anti-debugging code as a way to thwart dynamic analysis tools.
First time
According to JFrog, this is the first time such a method was spotted in any PyPI malware.
“Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques,” the researchers explain in a blog post (opens in new tab).
“Use of these techniques makes the package extremely suspicious, but it does prevent novice researchers from understanding the exact operation of the malware using static analysis tools. However – any dynamic analysis tool, such as a malware sandbox, quickly removes the malware’s static protection layers and reveals the underlying logic.”
The hackers’ efforts seem futile, as JFrog’s researchers managed to work around the workarounds and peek right into the payload. Following an analysis, the researchers described the payload as “disappointingly simple” compared to the effort made to keep it hidden. It’s still harmful though, as cookiezlog is a password grabber capable of stealing “autocomplete” passwords saved in data caches of popular browsers.
The intelligence gathered is then sent to the attackers via a Discord hook that acts as a command & control server.
Unfortunately, JFrog did not reveal the name of the group behind the malware, or the distribution techniques used to land the password grabber onto the victims’ endpoints. Regardless, news of PyPI malware is more frequent, suggesting that Python developers have become a major target.
