safety 5 Posted June 27 Share Posted June 27 Dear colleagues, is it possible In ESET products to detect malicious scripts *.py in the .unitypackage files (a compressed package created by Unity-a 3D-game development program contains access to the project and library files used to build a game)? To create scripts, for example, Hawkish-Grabber builder can be used, then the script can be added to the .unitypackage file and when the Unity application is opened automatically when opening this file. Quote Link to comment Share on other sites More sharing options...
itman 1,594 Posted June 28 Share Posted June 28 Based on what I read here: https://github.com/Hawkish-Team/Hawkish-Grabber , I would say detection likelihood would be low. safety 1 Quote Link to comment Share on other sites More sharing options...
safety 5 Posted June 29 Author Share Posted June 29 @itman, Is it possible to block such scripts from running through HIPS rules? Quote Link to comment Share on other sites More sharing options...
itman 1,594 Posted June 29 Share Posted June 29 (edited) 11 hours ago, safety said: Is it possible to block such scripts from running through HIPS rules? Blocking execution of Python scripts via a HIPS is somewhat "an effort in futility" given the multiple ways the scripts can be run: https://realpython.com/run-python-scripts/ . Now if Eset HIPS had the capability to block read access of a file plus global file wildcard use capability, then a HIPS rule could be created to block/ask for *.py and *.pyw file access. Finally, .py scripts can be converted to a .exe just like .bat, etc. scripts can be . The main danger of Python scripts is they are not parsed by Win AMSI interface. On the other hand, AMSI is being bypassed so much by malware these days, its probably a moot point. Edited June 29 by itman safety 1 Quote Link to comment Share on other sites More sharing options...
itman 1,594 Posted June 30 Share Posted June 30 (edited) FYI - you might find the article informative: https://sheekgeek.org/2023/adamsheekgeek/best-way-to-make-guis-and-executables-in-python-for-windows-mac-and-linux . Note it does require modifying target's Path environment variable but that should not be too hard to do. Edited June 30 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,594 Posted July 1 Share Posted July 1 (edited) Python doesn't even have to be installed or a script embedded in a .exe to be used maliciously. Just part of it is enough to pull off a successful attack. Case in point is this just published BlackCat ransomware method; Quote BlackCat ransomware pushes Cobalt Strike via WinSCP search ads The victim clicks the button and receives an ISO file containing "setup.exe" and "msi.dll," the first being the lure for the user to launch and the second being the malware dropper triggered by the executable. "Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine," explains the Trend Micro report. This process also installs a trojanized python310.dll and creates a persistence mechanism by making a run key named "Python" and the value "C:\Users\Public\Music\python\pythonw.exe". The executable pythonw.exe loads a modified obfuscated python310.dll that contains a Cobalt Strike beacon that connects to a command-and-control server address. https://www.bleepingcomputer.com/news/security/blackcat-ransomware-pushes-cobalt-strike-via-winscp-search-ads/ Edited July 1 by itman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.