According to the researchers, threat actors who create Python malware are getting better and their payloads are harder to detect.
While analyzing a recently detected malicious payload, JFrog reported how attackers used a new technique, anti-debugging code, to make it more difficult for researchers to analyze the payloads and understand the logic behind the code.
In addition to "ordinary" obfuscation tools and techniques, the hackers behind the "cookiezlog" package used anti-debugging code to thwart dynamic analysis tools.
According to JFrog, this is the first time such a method has been detected in PyPI malware.
“Most current PyPI malware attempts to avoid static detection using a variety of techniques: from primitive variable manipulation to sophisticated code-flattening and steganography techniques,” the researchers explain in a blog post (opens in a new tab ).
“The use of these techniques makes the package extremely suspicious, but prevents novice researchers from understanding the exact operation of the malware using static analysis tools. However, any dynamic analysis tool, such as a malware sandbox, quickly removes the static layers of malware protection and reveals the underlying logic.
The hackers' efforts seem futile as the JFrog researchers managed to bypass the workarounds and directly observe the payload. Upon analysis, the researchers described the payload as "disappointingly simple" compared to the effort put into keeping it hidden. This is still dangerous, because cookiezlog is a password cleaner capable of stealing "autofill" passwords stored in the data caches of popular browsers.
The collected intelligence is then sent to the attackers via a Discord link that acts as a command and control server.
Unfortunately, JFrog did not reveal the name of the group behind the malware, nor the distribution techniques used to get the password sniffer onto victims' terminals. Either way, news about PyPI malware is more frequent, suggesting that Python developers have become a major target.