The users of Telegram, AWS e Alibaba Cloud have been targeted by a new malware campaign that works by hiding malicious code within specific software functions.
This is what the cybersecurity company claims Checkmarxwhich claims to have discovered the campaign, attributed to a mysterious threat actor called kohlersbtuh15, last September.
The cyber attacker in question uses the programming software repository Python Pypi for operations, launching attacks using tactics typosquatting e starjacking.
Per Checkmarx “Instead of the common strategy of placing malicious code inside Python package installation files, which would automatically execute upon package installation, this attacker embedded malicious scripts deep inside the package, inside specific functions“.
The same experts then clarified how “This meant that the malicious code was only executed when a specific function was called during regular use“.
This modus operandi is defined as “Unique approach to hide malicious code” which not only helps to hide the same “But it also targets specific operations or functionality, making the attack more effective and difficult to detect“.
Hidden Malware Code: How Cybercriminals Trick You
Checkmarx added how “Additionally, since many security tools scan for malicious scripts that can be executed automatically, embedding code within functions increases the likelihood of evading those security measures“.
Another tactic used by the attacker is to make people appear popular malicious packages on Pypi, a sort of “psychological trick” aimed at encouraging the victim to click on it, attracted by a false sense of confidence.
“Starjacking and typosquatting are popular methods used by attackers to increase the chances of their attacks being successful and infect as many targets as possible“, said Checkmarx. “These techniques aim to improve the package’s credibility by making it appear popular and emphasizing the number of other developers using it” say the experts.
In case of infection, regardless of the service/app involved, the risks are high.
“At best, you could end up infecting highly privileged developer accounts within your network” say Checkmarx professionals, adding how “If you’re less lucky, you may end up infecting your customers with compromised software versions“.
