Jump to content

Detecting of malicious scripts *.py in the .unitypackage files


Recommended Posts

Dear colleagues,

is it possible In ESET products to detect malicious scripts *.py in the .unitypackage files (a compressed package created by Unity-a 3D-game development program contains access to the project and library files used to build a game)?

To create scripts, for example, Hawkish-Grabber builder can be used, then the script can be added to the .unitypackage file and when the Unity application is opened automatically when opening this file.

Link to comment
Share on other sites

11 hours ago, safety said:

Is it possible to block such scripts from running through HIPS rules?

Blocking execution of Python scripts via a HIPS is somewhat "an effort in futility" given the multiple ways the scripts can be run: https://realpython.com/run-python-scripts/ .

Now if Eset HIPS had the capability to block read access of a file plus global file wildcard use capability, then a HIPS rule could be created to block/ask for *.py and *.pyw file access.

Finally, .py scripts can be converted to a .exe just like .bat, etc. scripts can be .

The main danger of Python scripts is they are not parsed by Win AMSI interface. On the other hand, AMSI is being bypassed so much by malware these days, its probably a moot point.

Edited by itman
Link to comment
Share on other sites

FYI - you might find the article informative: https://sheekgeek.org/2023/adamsheekgeek/best-way-to-make-guis-and-executables-in-python-for-windows-mac-and-linux . Note it does require modifying target's Path environment variable but that should not be too hard to do.

Edited by itman
Link to comment
Share on other sites

Python doesn't even have to be installed or a script embedded in a .exe to be used maliciously. Just part of it is enough to pull off a successful attack. Case in point is this just published BlackCat ransomware method;

Quote

BlackCat ransomware pushes Cobalt Strike via WinSCP search ads

The victim clicks the button and receives an ISO file containing "setup.exe" and "msi.dll," the first being the lure for the user to launch and the second being the malware dropper triggered by the executable.

"Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine," explains the Trend Micro report.

This process also installs a trojanized python310.dll and creates a persistence mechanism by making a run key named "Python" and the value "C:\Users\Public\Music\python\pythonw.exe".

The executable pythonw.exe loads a modified obfuscated python310.dll that contains a Cobalt Strike beacon that connects to a command-and-control server address.

https://www.bleepingcomputer.com/news/security/blackcat-ransomware-pushes-cobalt-strike-via-winscp-search-ads/

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...