[SANS ISC] Keeping an Eye on Dangerous Python Modules, (Fri, Jun 11th)

With Python getting more and more popular, especially on Microsoft Operating systems, it’s common to find malicious Python scripts today. I already covered some of them in previous diaries[1][2]. I like this language because it is very powerful: You can automate boring tasks in a few lines. It can be used for offensive as well as defensive purposes, and… it has a lot of 3rd party “modules” or libraries that extend its capabilities. For example, if you would like to use Python for forensics purposes, you can easily access the registry and extract data:

This snippet of code starts with an import line. First, I need to load a specific module (in this case winreg) that will add to Python all the required code to manipulate the OS registry hives.

Let’s switch back to the “dark side”. When an attacker needs to write a piece of code to perform specific tasks, he will search for existing modules and not reinvent the wheel. To search for Python modules, the best place is to visit pypi.org[3]. Let’s take another example: injection of code. Python is able to use all the Windows API calls with the help of the ctypes module:

In this example, I’m using the ctypes modules to call the Windows API VirtualAlloc() and allocated 1KB of memory with the flag “0x04” (which means that the memory will be allowed to contain executable code).

ctypes is not a common module used in simple scripts to automate tasks like System Administrators could write. It could be categorized as “suspicious”. Let’s have another example. I found this malicious script that implements a keylogger. It uses another not common Python module:

The suspicious module is pyHook which “provides callbacks for global mouse and keyboard events in Windows” as the documentation says.

Want more? Let’ use now wave and sounddevice to use the host microphone and record some conversations…

Other interesting modules?  Use pyscreenshot to take screenshots or pynput to build another type of keylogger.

The question is now, from a defender’s perspective, how can we detect suspicious Python modules?

If you have access to the host, you can always use the “pip” command (the utility to manage modules):

pip will list the modules that have been installed “manually” (could be done by an attacker). To get a full list of modules, you can use the help() command in the Python interpreter:

As you can see, it’s interesting to spot malicious Python code just by having a look at the imported modules! If you would like to hunt, you can create a YARA rule to search for interesting modules inside text files…

[1] https://isc.sans.edu/forums/diary/Python+and+Risky+Windows+API+Calls/26530
[2] https://isc.sans.edu/forums/diary/From+Python+to+Net/27366
[3] https://pypi.org

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

Daily NCSC-FI news followup 2019-08-29

Critical Cisco VM Bug Allows Remote Takeover of Routers threatpost.com/critical-cisco-bug-remote-takeover-routers/147826/ Five More Hackers Become Millionaires on HackerOne www.bleepingcomputer.com/news/security/five-more-hackers-become-millionaires-on-hackerone/ Google adds all Android apps with +100m installs to its bug bounty program www.zdnet.com/article/google-adds-all-android-apps-with-100m-installs-to-its-bug-bounty-program/ Google Targets Data-Abusing Apps with Bug Bounty Launch threatpost.com/google-targets-data-abusing-apps-bug-bounty/147825/ Bug Bounties Continue to Rise, but Market Has Its Own 1% Problem www.darkreading.com/vulnerabilities—threats/vulnerability-management/bug-bounties-continue-to-rise-but-market-has-its-own-1–problem/d/d-id/1335689 The […]

Read More

Daily NCSC-FI news followup 2019-07-12

Buhtrap group uses zeroday in latest espionage campaigns www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/ ESET research reveals notorious crime group also conducting espionage campaigns for the past five years Over 17,000 Domains Infected with Code that Steals Card Data www.bleepingcomputer.com/news/security/over-17-000-domains-infected-with-code-that-steals-card-data/ Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured […]

Read More

[ZDNet] Microsoft acquires ReFirm Labs to boost its IoT security offerings

All posts, ZDNet

Microsoft is buying firmware security-analysis vendor ReFirm Labs, marking its second recent IoT security acquisition. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.