safety 8 Posted June 27, 2023 Share Posted June 27, 2023 Dear colleagues, is it possible In ESET products to detect malicious scripts *.py in the .unitypackage files (a compressed package created by Unity-a 3D-game development program contains access to the project and library files used to build a game)? To create scripts, for example, Hawkish-Grabber builder can be used, then the script can be added to the .unitypackage file and when the Unity application is opened automatically when opening this file. Link to comment Share on other sites More sharing options...
itman 1,791 Posted June 28, 2023 Share Posted June 28, 2023 Based on what I read here: https://github.com/Hawkish-Team/Hawkish-Grabber , I would say detection likelihood would be low. safety 1 Link to comment Share on other sites More sharing options...
safety 8 Posted June 29, 2023 Author Share Posted June 29, 2023 @itman, Is it possible to block such scripts from running through HIPS rules? Link to comment Share on other sites More sharing options...
itman 1,791 Posted June 29, 2023 Share Posted June 29, 2023 (edited) 11 hours ago, safety said: Is it possible to block such scripts from running through HIPS rules? Blocking execution of Python scripts via a HIPS is somewhat "an effort in futility" given the multiple ways the scripts can be run: https://realpython.com/run-python-scripts/ . Now if Eset HIPS had the capability to block read access of a file plus global file wildcard use capability, then a HIPS rule could be created to block/ask for *.py and *.pyw file access. Finally, .py scripts can be converted to a .exe just like .bat, etc. scripts can be . The main danger of Python scripts is they are not parsed by Win AMSI interface. On the other hand, AMSI is being bypassed so much by malware these days, its probably a moot point. Edited June 29, 2023 by itman safety 1 Link to comment Share on other sites More sharing options...
itman 1,791 Posted June 30, 2023 Share Posted June 30, 2023 (edited) FYI - you might find the article informative: https://sheekgeek.org/2023/adamsheekgeek/best-way-to-make-guis-and-executables-in-python-for-windows-mac-and-linux . Note it does require modifying target's Path environment variable but that should not be too hard to do. Edited June 30, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,791 Posted July 1, 2023 Share Posted July 1, 2023 (edited) Python doesn't even have to be installed or a script embedded in a .exe to be used maliciously. Just part of it is enough to pull off a successful attack. Case in point is this just published BlackCat ransomware method; Quote BlackCat ransomware pushes Cobalt Strike via WinSCP search ads The victim clicks the button and receives an ISO file containing "setup.exe" and "msi.dll," the first being the lure for the user to launch and the second being the malware dropper triggered by the executable. "Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine," explains the Trend Micro report. This process also installs a trojanized python310.dll and creates a persistence mechanism by making a run key named "Python" and the value "C:\Users\Public\Music\python\pythonw.exe". The executable pythonw.exe loads a modified obfuscated python310.dll that contains a Cobalt Strike beacon that connects to a command-and-control server address. https://www.bleepingcomputer.com/news/security/blackcat-ransomware-pushes-cobalt-strike-via-winscp-search-ads/ Edited July 1, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts