A cybersecurity researcher from Phylum has discovered a new form of malware in a PyPI package that was hiding itself from detection by using Unicode as a technique.
A Python info-stealing malware uses Unicode to remain undetected
There are more than 100,000 characters in Unicode, making it a world-wide encoding standard used for a variety of languages and scripts, with the purpose of simplifying and streamlining the way characters are displayed on electronic and digital devices, which is the goal of Unicode. Whenever a letter, digit, or symbol appears in Unicode, it receives a unique numeric value, which remains the same regardless of the software or platform that it is displayed on.
Onyxproxy is an infostealer known as an infostealer that is searching for developer login credentials and authentication tokens in order to steal information. During its available time on PyPI, before it was removed from the repository, it managed to get 183 downloads, which means that it was able to compromise the credentials of up to 183 different developers during that period.
Hiding in plain sight
This malware carries a package called “setup.py” which contains “thousands” of suspicious code strings which use a combination of Unicode characters and were allegedly written by a group of Russian hackers.
READ MORE: Your conversations are leaked by ChatGPT
In onyxproxy, there are three critical identifiers: “__import__”, “subprocees”, and “CryptoUnprotectData”. These have a large number of variants, which makes them ideal for beating string-matching-based defenses, the researchers explain.
While the technique might sound complicated, the researchers claim it isn’t exactly sophisticated. However, should the abuse of Unicode for hiding malicious Python(opens in new tab) code become a trend, it might become cause for concern.
“But, whomever this author copied this obfuscated code from is clever enough to know how to use the internals of the Python interpreter to generate a novel kind of obfuscated code, a kind that is somewhat readable without divulging too much of exactly what the code is trying to steal,” concludes Phylum.
