TH16105
Detected presence of files that use hex-encoded module import directive.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Programming languages allow developers to extend functionality of their code by importing additional modules. Each programming language has their own way of achieving this, but it is common to declare reliance on external modules by using the import directive. This declaration is typically done at the source code level, where developers write the names of the modules their code requires. It is expected that names of external modules are written as regular, simple to understand text. However, some programming languages allow the names of external modules to be hex-encoded. This can be used as a form of code obfuscation. Due to this, the feature is commonly abused by attackers to confuse security tools and avoid detection. While presence of hex-encoded imports does not imply malicious intent, all of its uses in a software package should be documented and approved. One example of acceptable use for hex-encoded import directives is loading modules with non-ASCII names.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1027 - Obfuscated Files or Information.
- Consider renaming the imported module names.
Recommended readingโ
- T1027 - Obfuscated Files or Information (External resource - Mitre ATT&CK documentation)
- Code obfuscation (ReversingLabs glossary)
- Modular programming (External resource - Wikipedia)