“In an e mail trade with ReversingLabs, he revealed that he had been contacted from a LinkedIn profile and supplied with a hyperlink to the GitHub repository as a ‘homework process’,” the researchers stated. “The developer was requested to ‘discover the bug,’ resolve it and push adjustments that addressed the bug. When the adjustments have been pushed, the pretend recruiter requested him to ship screenshots of the fastened bug — to guarantee that the developer executed the undertaking on his machine.”
Utilizing PYC recordsdata to cover malicious code
In comparison with the same Node.js marketing campaign reported by Securonix, on this case, attackers saved the malicious code in Python bytecode (PYC) recordsdata. That is vital as a result of such recordsdata are in a binary format as a substitute of plain textual content like typical supply code recordsdata, making the malware a lot tougher to identify.
PYC recordsdata are generated and cached when the Python interpreter imports or executes a Python script. Since they’re already interpreted (compiled) code, they will later be executed immediately by the Python interpreter with out reinterpreting the unique script. This helps with efficiency as a result of it has sooner execution occasions, and the most typical use for such recordsdata is within the distribution of Python modules. PYC recordsdata have been utilized by attackers to cover malicious code earlier than.
