feat: improve source code detection using malware insights on obfuscation#1378
Merged
feat: improve source code detection using malware insights on obfuscation#1378
Conversation
oracle-contributor-agreement
Bot
added
the
OCA Verified
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
…tion methods, and a new obfuscation tool Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
art1f1c3R
force-pushed
the
art1f1c3R/malware-insights
branch
from
7ea25f8 to
fbb234e
Compare
art1f1c3R
changed the title
behnazh-w
approved these changes
Apr 20, 2026
behnazh-w
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Using insights gained from analysis of previous malware samples, some new Semgrep rules are introduced in this PR.
Description of changes
New Execution Methods
It was observed that a method of spawning processes was using the
ptymodule'sspawnmethod. Inline import and sink matches for this have been added.It was observed that some malware samples would leverage
__builtins__and whether it is a module or a dictionary in the given file. Matching for this as a sink has been added.Small Pyarmor Update
It was noted in some samples that importing the required Pyarmor execution objects can occur in files like
__init__.py, and so can be used in other files without the import. These packages will always be detected, as the import does have to happen, this has just been added to ensure all files utilising Pyarmor are reported.New Obfuscation Tool Detection - PyHydra
Some observed malware used PyHydra, a python code obfuscation tool. Some common patterns used in the obfuscated code PyHydra produces has been added, along with a cut-down skeleton of what the file looks like in the
obfuscation_tools.pysamples.New Decryption
A malware campaign was observed to be using
Fernetto encrypt and subsequently decrypt payloads. Matching for this has been added as a sink. The patterns for string construction has also been improved to ensure it can catch uses of list comprehensions and mappings that utilise things like Caesar Ciphers and XOR encryption.Lambda Functions
It was noted that the lambda functions (like the
b64_reversed_decompressed_iocsample function) were not actually being matched. Apattern-insidematch has been added to capture this.Checklist
verifiedlabel should appear next to all of your commits on GitHub.