DreamyOak Quasar Malware
Following the kill chain of a malicious Python package, and decompiling a basic Quasar RAT while rapidly learning some valuable lessons.
#python
5 posts tagged with this topic.
-
-
Tracking Peristent PyPI Malware
The Python Packaging Ecosystem remains fairly stable in the broad scope of open source package distribution, but they are not immune to sustained attacks either. One threat actor group has evolved from simple nuissance to a sustained stream of spam and malware utilizing GitHub staging and direct targeting of userbases for the distribution of malicious programs.
-
Dearmored
Looking deeper into PyArmor obfuscated malware utilizing tools such as Process Monitor and Wireshark, and hooking third party libraries to gain access to web requests and encrypted data.
-
PyPI Security
An overview of building community-driven malware reporting for PyPI, from manual triage to automated YARA-assisted workflows. It explores the operational tradeoffs and why standardized reporting models matter for ecosystem-scale defense.
-
The Challenges of YARA
A practical look at where YARA helps and where it falls short when detecting malicious Python packages at scale. It focuses on the ambiguity between legitimate and abusive behavior and the limits of signature-based detection in open ecosystems.