New Python infostealer uses Unicode to avoid detection

Recently discovered on the PyPI developer platform, a malicious package used Unicode as an obfuscation method to avoid detection when credentials and other sensitive information were stolen and deleted from compromised developers’ devices.

A malicious package called “onyxproxy” uses a combination of various Unicode fonts in its code to bypass automatic checks and protections that identify potentially malicious package features based on string matching.

About detecting “onyxproxy” told company cybersecurity specialists Philum. The malicious package has already been removed from the PyPI platform, however, since its publication on the platform, the malicious package has racked up 183 downloads.

Unicode is a character encoding standard that is used to represent text in various languages ​​and on various computer systems. It includes a huge number of characters from various languages ​​and cultures, including letters, numbers, punctuation, currency symbols, hieroglyphs, mathematical operators, and more. Unicode allows text to be displayed uniformly across systems and software applications, providing universality and compatibility of text data.

The “onyxproxy” package contained within itself a “setup.py” package with thousands of suspicious lines of code that just use a mix of Unicode characters. And although the text in these lines, in addition to differing fonts, looked almost normal on visual inspection, the interpreters Pythonwhich analyze and recognize these characters, have identified them as completely different.

Phylum explained that Unicode has 5 spellings for the letter “n” and as many as 19 spellings for the letter “s” when used in different languages, mathematics, etc. For example, the identifier “self” has 122740 ways (19x19x20x17) to be represented in Unicode.

Python’s support for using Unicode characters allows programmers to create identifiers that are visually similar but point to different functions. In the case of “onyxproxy”, the malware authors used “import”, “subprocess” and “CryptUnprotectData” identifiers, which were larger than usual and had a huge number of options to easily bypass string-matching protections.

Using Unicode in Python, you can easily hide matches of malicious strings, making the code visually innocuous, but no less dangerous. In this case, the attackers used Unicode to quietly steal sensitive data and authentication tokens from developers.

While this obfuscation technique is not particularly sophisticated, its use in the wild (ITW) is a concern and may indicate that Python’s Unicode support has long been abused for similar purposes.

The risks associated with using Unicode in Python have been widely discussed in the IT community in the past. Many researchers and developers were convinced that Unicode support would make the language more vulnerable.

Since the abuse of Unicode support is now officially proven, security specialists will have to rack their brains to come up with reliable mechanisms for detecting a new type of threat.