Malicious PyPI Packages Use Compiled Python Code to Bypass Detection
Researchers have uncovered a new attack on the Python Package Index (PyPI) repository that uses compiled Python code to evade detection by application security tools.
“This is probably the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files are directly executable,” ReversingLabs analyst Karlo Zanki said in a report shared with The Hacker News.
The package in question is fshec2which was removed from the package list on April 17, 2023, following a responsible disclosure on the same day.
A PYC file is a compiled bytecode file that is generated by the Python interpreter when a Python program is executed.
“When a module is imported for the first time (or when the source files have changed since the current compiled file was created) a .pyc file containing the compiled code should be created in the __pycache__ subdirectory of the directory containing the .py files,” explain Python documentation.
The package, according to the software supply chain security firm, contains three files – _init_.py, main.py, and full.pyc – the latter harboring malicious functionality.
“The package entry point is found in the __init__.py file, which imports functions from another plain text file, main.py, which contains the Python source code responsible for loading the compiled Python modules located in one of the other files, full.pyc,” said Zenki.
This, in turn, is achieved by leveraging importlib package (as opposed to plain import) to load and run the code contained in the .pyc file.
Analysis of the reverse engineered version of the PYC file revealed that it was configured to collect usernames, hostnames, and directory listings, as well as fetch commands for execution on the host from hard-coded servers (13.51.44(.) 246).
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
ReversingLabs says it also observes module downloads and runs other Python scripts responsible for fetching new commands placed inside files that threat actors can tweak at will to issue different instructions.
Further checks of the command-and-control server found a configuration error that made it possible to download files by their IDs, which are numbered sequentially (starting from 1), without any authorization. This suggests that the attack was most likely not orchestrated by a sophisticated actor.
The development is a continuation of efforts by threat actors to adopt different obfuscation techniques to avoid detection from security solutions.
“Loader scripts such as those found in the fshec2 package contain a minimal amount of Python code and perform a simple action: load precompiled Python modules,” says Zanki. “It just so happens to be a rogue module.”
