Unsung GitHub Features Anchor Novel Hacker C2 Infrastructure

  /     /     /  
Publicated : 23/11/2024   Category : security


Unsung GitHub Features Anchor Novel Hacker C2 Infrastructure


More and more hackers are choosing to host their malicious campaigns from public services, and theyre pioneering new ways of doing it.



Researchers have come across a GitHub account abusing two unique features of the site to host stage-two malware.
Hackers have increasingly been repurposing public services as headquarters for their misdeeds —
housing malware in public code repositories
or file-sharing services, and
performing command-and-control (C2) from messaging apps
. Sometimes they get even more creative, utilizing software-as-a-service (SaaS) platforms in
ways youd never be able to guess
.
Continuing this tradition is yeremyvalidslov2342 (heretofore Yeremy), an individual connected with multiple malicious packages
identified by ReversingLabs on Dec. 19
. To stealthily sneak payloads past both site admins and victims, Yeremys packages were concealed using two previously unexploited GitHub features: gists and commits.
The most common way cybercriminals will abuse public code repositories is by simply publishing their malicious files to throwaway accounts. Its obvious yet crude, as administrators work to identify and take down such accounts as soon as theyre spotted.
Yeremy took a more circuitous approach, first publishing a series of packages to the Python Package Index (PyPI),
another oft-abused repo
. The packages were presented as honest libraries for handling network proxying, but inside their setup file lay a Base64-encoded string concealing a URL, which pointed to a secret GitHub gist.
Gists are a kind of lite version of Git repositories, designed to allow coders to store and share snippets of code without having to set up entire projects around them. They can be public or secret: hidden from the wider public and unsearchable, but still shareable with friends and colleagues.
The secret gist inside of the PyPI packages contained stage-two malware. The researchers were only able to find one other use of gists for such a purpose, buried in
a 2019 Trend Micro report about a Slack backdoor
.
Yeremy was also connected to one other PyPI package with a malicious setup file. This time upon execution, the package cloned an existing, most likely legitimate, PySocks project from GitHub. Instead of being within the repo itself, in this case, the malware was hidden inside of the commit message describing it.
Carrying out cyberattacks from ones own infrastructure does offer a certain degree of resiliency from account takedowns, but using shared and open source resources has the advantage of stealth.
Some malware authors are afraid of getting detected, notes Karlo Zanki, the author of Tuesdays report. But, he adds, if malicious code is properly obfuscated, public services arent so good at detecting it.
Package repositories like npm and PyPI receive thousands of daily packages, he continues, and there isnt an easy way to monitor and analyze them. Some repositories do scanning with traditional antivirus solutions, but very often malicious packages get past those basic defenses. So they have limited resources, and its not likely that they will have money or motivation to make everything that gets published secure. Its up to users of those packages to protect themselves.
Public software services also offer a host of extra upsides for bad guys. Its quicker, easier, and cheaper to create an account on a popular website than it is to arrange traditional infrastructure. The company supporting the site handles maintenance and uptime, and theyre typically very reliable. Traffic to popular sites elicits far less suspicion than does traffic to unknown servers in far-off countries. Plus, whats the harm if a malicious account gets taken down? Just create a new one. 
If I were a malicious actor, Zanki concludes, I would definitely not waste my time on running my own infrastructure.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Unsung GitHub Features Anchor Novel Hacker C2 Infrastructure