Present-day cybercriminals are resourceful enough to conduct multi-pronged malware campaigns that wreak a great deal of electronic havoc while boasting sophisticated evasion techniques. In order to get around common blacklisting mechanisms and thereby extend the lifetime of their perpetrating activity, malicious actors have come to employ legitimate services like GitHub to host their dodgy scripts, offending code, and manipulative landing pages.
A few GitHub abuse incidents unearthed recently demonstrated how agile the crooks’ strategies can be. Below is a roundup of prominent cases in which the legitimate code repository in question served as a pivot of malware distribution and phishing campaigns.
Card skimming script lurking on GitHub
Security analysts discovered a large-scale payment card sniffing and credentials theft wave in late April 2019 that affected hundreds of online stores built with the Magento platform. The specific script to blame is the so-called MageCart skimmer, which has been around since 2015 and gained notoriety for compromising major services, including British Airways, Newegg, and Ticketmaster.
In their latest move, the operators used GitHub to host the wrongdoing kit. The skimmer script that the criminals uploaded to the service was cloaked using hexadecimal encoding in an attempt to prevent it from being identified by the network’s defenses. The previously hacked Magento websites ended up loading this third-party script as part of their source code.
Although the page containing the fraudulent content was promptly deleted by GitHub in response to white hats’ reports, nearly 800 vulnerable Magento installations still have links pointing to the MageCart skimmer at the time of writing. In light of this attack vector, the only effective way for administrators of e-commerce sites to safeguard their customers’ shopping experience is to apply CMS and plugin updates once they are available. Sticking with proper authentication hygiene is another must.
GitHub-hosted phishing kits
Another stratagy involving the popular code hosting repository was unveiled in April 2019. As opposed to the technique covered above, it took advantage of the GitHub Pages feature that allows users to create and run a website within the platform. The malefactors set up phishing pages using the github.io URL space and redirected the would-be victims to these bogus resources disguised as login pages for online banking and other services accessible via commonplace authentication.
This intricate approach allowed the crooks to bypass domain-based blacklisting, given that pages hosted on GitHub raise hardly any red flags when it comes to conventional filtering databases. Consequently, such a phishing campaign might last longer than one relying on other types of landing pages. Having harvested the unsuspecting users’ sensitive credentials, the malicious kits were stealthily submitting them to the criminal-run command and control servers.
The fact that the cyber thieves exploited free, publicly visible GitHub accounts made it possible for researchers to closely inspect all their shenanigans. As a result, the phishers’ accounts were suspended once the platform became aware of the fraud.
GitHub abused to push info stealer malware
A recent malware outbreak aimed at pilfering victims’ personal data used GitHub to host the harmful code. According to security analysts’ findings, the hacker crew referred to as Gaza Cybergang leveraged politically-themed phishing emails to dupe the recipients into clicking the embedded booby-trapped links. The targets mostly included users and organizations considered to be influencers in the area of Palestinian issues. In particular, the region’s media companies, government agencies, political parties, healthcare institutions, activists, and journalists were in the spotlight of the attackers’ artifice.
At the initial phase of the e-raid, the crooks sent out misleading emails to potential victims that lured them to clicking a link leading to the first-stage payload. This payload could be hosted on GitHub or a number of other free, publicly accessible file-sharing services, such as Pastebin and upload.cat.
The final-stage malware on this infection chain was a RAT (Remote Access Tool) that was surreptitiously downloaded from the criminals’ C2 server. It allowed them to perform reconnaissance on the infected computers, gather documents stored in different formats, compress and encrypt them, and then transmit the resulting data to the command and control server. Fortunately, due to well-coordinated efforts of law enforcement and the antivirus lab that investigated into the matter, the campaign came to a halt.
Cutting-edge backdoor activity bolstered by GitHub Gist API
In March 2019, it was discovered that a hacker group used Github’s Gist feature along with the Slack messaging service to communicate with a recently discovered multi-functional backdoor malware. For the record, Gist is a functionality that allows developers to write some text or snippets of code, usually small ones, directly in the web interface. These bits of information can be a way to leave comments or share walkthroughs regarding a specific project uploaded to GitHub.
Based on the names of the abused systems (Slack and GitHub), the infection was codenamed SLUB. It deploys a complex incursion in several distinct stages, additionally harnessing known Windows vulnerabilities, namely the CVE-2018-8174 remove code execution flaw and the CVE-2015-1701 privilege escalation bug.
The raid employs the above-mentioned security loopholes to drop a downloader disguised as a DLL file in what is known as a “watering hole” attack. The first-stage infection downloads a peculiar GitHub Gist snippet that contains commands to be run on the contaminated computers. Once the entirety of valuable data is stealthily collected on the breached network, it is exfiltrated to the attackers’ server through Slack.
Cyber espionage crew using GitHub to store malware
Industrial espionage groups benefit from GitHub in their own way. In late 2018, threat intelligence experts exposed a gang dubbed Seedworm or MuddyWater. The adversaries targeted high-profile victims in Turkey, Pakistan, as well as several North American and European companies tied to businesses in the Middle East.
It turns out the gang stored their malicious tools and scripts in GitHub repositories. Some of these instruments are off-the-shelf reconnaissance tools, and some are customized variants thereof. One of the offending entities that the crooks uploaded to the service was Powemuddy, a fusion of a backdoor and malware downloader detected on a number of networks previously attacked by Seedworm.
In the course of their analysis, the researchers also found a connection between the criminals’ GitHub account and a Twitter (News - Alert) profile whose owner follows numerous InfoSec gurus and security software publishers. Through social media, the black hats probably try to keep abreast of innovations in the cybersecurity area so that their future onslaughts are more effective and slip under the radar of mainstream defenses.
Policing Github
GitHub is a godsend for ethical coders, but a growing number of cybercriminal gangs are adding it to their repertoire as well. Some of these felons are lured by the ability to host their dangerous code for free, while others are motivated by the fact that antivirus solutions trust this network and aren’t very likely to blacklist the associated content. As a result, the abuse of GitHub is on the rise.
To the company’s credit, they are very responsive to fraud reports and quickly suspend the accounts that violate their terms of use. Hopefully, the provider will shortly come up with effective mechanisms to identify unwanted activity much faster.
