Attacks on Bytecode Interpreters Conceal Malicious Injection Activity

Attacks on Bytecode Interpreters Conceal Malicious Injection Activity

August 1, 2024 at 06:05PM

Japanese researchers will demonstrate at Black Hat USA how attackers can insert malicious commands into the machine code of software interpreters, like VBScript and Python, to execute malicious code undetected. By exploiting the lack of bytecode scanning in security software, attackers can hide their activity, posing a significant supply chain risk. The technique, called Bytecode Jiu-Jitsu, allows attackers to evade detection and execute malicious commands in memory space without the need for execution privilege. While developers and security tool creators can mitigate the risk through certain security modifications, the ultimate countermeasure recommended by the researchers is to restrict memory write to the interpreter. Their goal is to raise awareness among security researchers and defenders about the potential threats rather than informing attackers about new tactics.

The meeting notes provide a comprehensive overview of the research findings by a group of Japanese researchers from NTT Security Holdings Corp. and the University of Tokyo. The key takeaway is the demonstration of a novel attack technique called Bytecode Jiu-Jitsu, which involves inserting malicious bytecode into the memory space of a running interpreter, allowing attackers to hide their malicious activity from most endpoint security software.

This technique exploits the fact that most security software does not scan bytecode in memory, thereby evading detection by security tools. By inserting malicious instructions into the bytecode held in memory prior to execution, the research team has demonstrated the potential to bypass traditional security measures and hide malicious behavior from detection.

The researchers highlight that this approach differs from traditional supply chain attacks, as it involves manipulating the bytecode in memory and does not necessarily rely on pre-compiled malware. They propose that developers of interpreters and security tools enforce write protections to help mitigate the risk, as well as consider implementing security modifications such as pointer checksums.

It’s important to note that the purpose of presenting this new attack technique is to raise awareness among security researchers and defenders about potential vulnerabilities, rather than to inform attackers’ tactics. The ultimate goal is to encourage the development of effective countermeasures and to serve as an alert for the global security community.

Full Article