“In an email interview with ReversingLabs, he stated that he was contacted on his LinkedIn profile and given a link to a GitHub repository as ‘homework’,” the researchers said. “The engineer was asked to ‘find a bug,’ solve it and push changes that addressed the bug. When the changes were made, the fake employer asked him to send screenshots of the fixed bug – to verify that the developer was running the project on his machine. “
Using PYC files to hide malicious code
Compared to a similar Node.js campaign reported by Securonix, in this case, the attackers stored the malicious code in Python bytecode (PYC) files. This is important because such files are in binary format instead of plain text like regular source code files, making malware more difficult to detect.
PYC files are generated and cached when the Python interpreter imports or executes a Python script. Since they are already translated (compiled) code, they can later be used directly by the Python interpreter without reinterpreting the original script. This helps with performance because it has faster startup times, and the most common use of such files is in the distribution of Python modules. PYC files have been used by attackers to hide malicious code before.
Source link