“In an e mail change with ReversingLabs, he revealed that he had been contacted from a LinkedIn profile and supplied with a hyperlink to the GitHub repository as a ‘homework job’,” the researchers stated. “The developer was requested to ‘discover the bug,’ resolve it and push modifications that addressed the bug. When the modifications have been pushed, the faux recruiter requested him to ship screenshots of the fastened bug — to ensure that the developer executed the challenge on his machine.”
Utilizing PYC information to cover malicious code
In comparison with the same Node.js marketing campaign reported by Securonix, on this case, attackers saved the malicious code in Python bytecode (PYC) information. That is important as a result of such information are in a binary format as a substitute of plain textual content like typical supply code information, making the malware a lot tougher to identify.
PYC information are generated and cached when the Python interpreter imports or executes a Python script. Since they’re already interpreted (compiled) code, they’ll later be executed straight by the Python interpreter with out reinterpreting the unique script. This helps with efficiency as a result of it has sooner execution occasions, and the most typical use for such information is within the distribution of Python modules. PYC information have been utilized by attackers to cover malicious code earlier than.
