Anti-Detection Technologies
For conventional code obfuscation techniques, the hidden logic and intent in malicious code can be found by analyzing the API in the abstract syntax tree. However, some malicious codes use advanced obfuscation techniques, such as anti-debugging and anti-virtualization, which are often difficult to discover through program analysis tools. In this case, we need to use manual analysis to check the malicious code and explore the anti-detection technology carefully. While analyzing the malicious code, we found that attackers use multiple methods to evade the detection of security tools. We summarize some existing anti-analysis techniques and discover several new classes of evasion techniques in the collected data.
Attackers use some obfuscation techniques to hide the true purpose and behaviors of malicious code. Common code obfuscation techniques include encryption and coding. Many attackers in the software supply chain also use code obfuscation techniques to evade detection and analysis. For example, the "aiogram-types-0.1.8" package uses "base64()" to obfuscate malicious code. Some security detection tools will detect the IOC in the source code, and the attacker will separate the IOC and then escape through subsequent splicing. The "Acqusition-4.4.2" package uses this technique.
Attackers typically upload malicious packages to a server and then use external requests to download and execute them on the user's local installation rather than directly embedding malicious executables into the package files.
This attack is usually a multi-stage process. In the first stage, the attacker sends a request to an external link to obtain a download link for a malicious executable file. In the second stage, the attackers use the obtained link to download and execute a malicious executable file on the victim's local system. Since attackers use external links to download malicious files, they can bypass detection by the local security software, increasing the success rate of the attack.
Typosquatting is a popular attack method used by attackers to take advantage of user typos. Some attackers include the source code of the impersonated package within their malicious package. When a developer inadvertently imports the malicious package due to a misspelling, they may not realize that the package contains malicious code because it also includes the specific function they seek. This can lead to malicious code persisting on the system for an extended period. Additionally, during dynamic analysis, the regular code may overwrite the malicious code's behavior, making it difficult to detect. Examples of packages that utilize this approach include "requessts-2.27.1" and "jeIlyfish-0.7.1".
To bypass the detection tool, the attacker does not directly inject malicious code into the current package but implements the attack by indirect reference. "secbg-0.0.9" introduces the malicious package in the "setup.py" file via "install_requires'' in the "setup.py" file, the malicious package "secrevtwo-0.0.3".
Attackers use steganography to hide malicious code in an image, and when the package code is executed, it downloads the image from a remote server and extracts the malicious code from it for execution. "colorsapi-6.6.7" exploits this type of attack.
attackers usually use the __import__ method to dynamically import the required module and compile and execute malicious code at runtime with the help of built-in functions builtins According to the data we collected, 63 packages related to sandbox escape have been identified.