BURSTA sophisticated obfuscation technique that threat actors are using to bypass detection systems and exploit Python’s eval() and exec() functions for malicious code execution.
With over 100 supply chain attacks reported on PyPI in the past five years, these techniques pose a significant risk to organizations relying on Python packages.
Key Takeaways
1. Hackers hide malicious eval or exec calls using homoglyphs, string tricks, and alternate imports.
2. Payloads layer encodings and abuse builtins, sys.modules, globals(), locals().
3. Defenses require advanced static analysis, sandboxing, ML, and human review.
The growing threat landscape has prompted the development of advanced static analysis tools like Hexora, designed to detect obfuscated malicious code that traditional regex-based security tools often miss.
Unlike simple pattern matching, these attacks leverage Python’s dynamic nature to execute arbitrary code while evading conventional security measures.
Advanced Obfuscation Techniques
According to Artem Golubin, the basic malicious code injection employs sophisticated evasion methods. The most elementary approach involves direct function calls:
However, experienced threat actors utilize confusable homoglyphs to bypass regex-based detection systems:
This technique exploits Unicode characters that visually resemble standard ASCII characters, making detection significantly more challenging for security tools that rely on simple string matching.
More advanced attackers leverage the built-in module to obscure malicious intent:
The __import__ dunder function provides another evasion vector, allowing attackers to avoid conventional import statements while maintaining functionality:
Threat actors frequently employ string concatenation and reversal to obfuscate function names and module references. Alternative module access methods include exploiting sys.modules, globals(), and locals().
The compile() function offers another attack vector, allowing code execution without direct eval() or exec() calls:
Payloads delivered through these methods typically employ multiple encoding layers, including base64, hexadecimal, rot13, marshal, and zlib compression, to further obscure malicious intent.
This multi-layered approach makes static analysis extremely challenging and often requires dynamic analysis or sandboxing techniques.
Security professionals recommend implementing comprehensive detection strategies that combine static analysis, dynamic analysis, machine learning models, and human oversight to identify these sophisticated attacks before they compromise production environments effectively.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Hackers Can Exploit (eval) or (exec) Python Calls to Execute Malicious Code appeared first on Cyber Security News.