Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Attacks on Bytecode Interpreters Conceal Malicious Injection Activity
Researchers have found a way to circumvent malicious code detection by injecting malicious bytecode into interpreters for VBScript, Python, and Lua. This allows attackers to hide their attempts to execute malicious code from most endpoint security software.
The technique involves inserting commands into the machine code stored in memory by the software interpreters used by many programming languages. The research team successfully inserted malicious instructions into the bytecode held in memory prior to execution, which escaped detection because most security software does not scan bytecode.
This attack technique, dubbed “Bytecode Jiu-Jitsu,” can be used to hide malicious activity from endpoint security software. The researchers have already confirmed that the technique works for inserting malicious code in the in-memory processes of both the Python and Lua interpreters.
The approach allows attackers to skip other more obviously malicious steps, such as calling suspicious APIs to create threads, allocating executable memory, and modifying instruction pointers.
To mitigate this risk, developers can enforce write protections to help eliminate the risk. The ultimate countermeasure is to restrict the memory write to the interpreter.
The goal of presenting this new attack technique is to show security researchers and defenders what could be possible, not to inform attackers’ tactics.
Source: https://www.darkreading.com/vulnerabilities-threats/attacks-on-bytecode-interpreters-conceal-malicious-injection-activity