Python and Malware: Developing Stealth and Evasive Malware Without Obfuscation

TL;DR

This paper presents a novel method for creating stealthy, evasive malware in Python that bypasses static and sandbox detection, highlighting vulnerabilities in current malware detection tools.

Contribution

It introduces a new obfuscation technique for Python malware that evades static checks and exposes weaknesses in sandbox environments, without relying on traditional packing methods.

Findings

Malware can bypass VirusTotal static checks using the proposed obfuscation.

Existing sandboxes have significant limitations allowing malware to evade detection.

The method is applicable to all similar Python packaging tools.

Abstract

With the continuous rise of malicious campaigns and the exploitation of new attack vectors, it is necessary to assess the efficacy of the defensive mechanisms used to detect them. To this end, the contribution of our work is twofold. First, it introduces a new method for obfuscating malicious code to bypass all static checks of multi-engine scanners, such as VirusTotal. Interestingly, our approach to generating the malicious executables is not based on introducing a new packer but on the augmentation of the capabilities of an existing and widely used tool for packaging Python, PyInstaller but can be used for all similar packaging tools. As we prove, the problem is deeper and inherent in almost all antivirus engines and not PyInstaller specific. Second, our work exposes significant issues of well-known sandboxes that allow malware to evade their checks. As a result, we show that stealth and evasive malware can be efficiently developed, bypassing with ease state of the art malware detection tools without raising any alert.