A group of Japanese researchers is set to demonstrate a new method of executing malicious code by hiding commands within the machine code stored in memory by software interpreters commonly used in programming languages like VBScript and Python. This groundbreaking technique will be showcased at the upcoming Black Hat USA conference, shedding light on a potential security loophole that could be exploited by cyber attackers.
Interpreters play a crucial role in translating human-readable software code into bytecode, which consists of granular programming instructions that are understood by the underlying machine. The research team was able to successfully insert malicious instructions into the bytecode stored in memory prior to execution. Since most security software does not scan bytecode, these alterations went unnoticed, allowing attackers to conceal their malicious activities from endpoint security solutions.
The implications of this technique are significant, as it introduces a new way for malicious actors to evade detection by security tools. Researchers from NTT Security Holdings Corp. and the University of Tokyo will demonstrate the capabilities of this method using the VBScript interpreter, with plans to showcase its effectiveness in inserting malicious code into the in-memory processes of both Python and Lua interpreters.
According to Toshinori Usui, a research scientist at NTT Security, malware often conceals its behavior by injecting malicious code into benign processes. Traditional injection-type attacks typically exhibit detectable patterns that can be identified by security products. However, by exploiting the interpreter’s indifference to remote process overwriting, attackers can seamlessly replace generated bytecode with their own malicious code, bypassing conventional security measures.
While bytecode attacks are not entirely new, they represent a relatively novel approach to evading security defenses. Past research has explored bytecode corruption attacks and corresponding defense strategies, highlighting the importance of addressing this emerging threat vector. For instance, in a recent incident involving the Python Package Index, a malicious package named fshec2 successfully evaded detection by compiling all its malicious code into bytecode, underscoring the need for enhanced scrutiny of bytecode vulnerabilities.
Looking beyond precompiled malware, the NTT researchers’ Bytecode Jiu-Jitsu technique leverages the insertion of malicious bytecode into the memory space of interpreters to evade detection by security tools. By sidestepping more overtly malicious activities, such as API calls and memory modifications, attackers can maintain a stealthy presence within a compromised system. This method capitalizes on the interpretive nature of bytecode, which does not require execution privileges like native CPU instructions, making it a potent tool for stealthy exploitation.
To address the security implications of bytecode attacks, developers of interpreters, security tool developers, and operating system architects can play a role in enhancing defenses against such threats. While traditional security modifications like pointer checksums may offer some level of protection, the NTT Security researchers argue that write protections should be enforced to mitigate the risks associated with their attack technique. By restricting memory writes to the interpreter, developers can minimize the potential impact of bytecode-based exploits.
It is essential to recognize that presenting new attack techniques is not intended to assist malicious actors but rather to raise awareness among security researchers and defenders about potential vulnerabilities. By shining a light on emerging threats like bytecode attacks, the research community can work together to develop robust defenses and safeguard critical systems from exploitation. As Toshinori Usui emphasizes, the ultimate goal is to serve as a warning signal for the global security community, urging proactive measures to mitigate the risks posed by innovative attack vectors.