Greedy Cybercriminals Stealthily Abuse GitHub Service to Host Malware
Open-source software repositories form the backbone of many software development projects. But, what if they are used for planting malicious intents? Over the past few years, cybercriminals have been aggressively capitalizing on these repositories, especially through GitHub, to host and distribute their malicious components and malware.
What’s this unnoticed vulnerability?
- In a recent report, Octoverse revealed that almost a fifth (around 17%) of all software bugs in GitHub were intentionally placed as backdoors by cybercriminals.
- A vast majority of these backdoors came from the npm ecosystem that affected many projects depending on those packages.
GitHub trends as a successful attack vector
Other than being abused for backdoors, GitHub served as a channel to host malware.
- A new variant of Gitpaste-12 botnet, which returned with more than 31 exploits, was reported utilizing GitHub along with Pastebin for storing malicious component code.
- Another botnet named PGMiner downloaded the static curl binary - to carry out tasks - from GitHub before dropping its final Monero mining payload.
- A new strain of malware associated with the MuddyWater APT group used Word files with macros to download a PowerShell script from GitHub. The PowerShell script was later used to download an image file for decoding a Cobalt Strike script on Windows systems.
What should organizations worry about?
Attacks on software developers are not unheard of. Nowadays, malicious actors can abuse GitHub and other services that host Git repositories for stealthy attacks aimed at software developers. By hiding the malicious code in their legitimate-looking repositories, the attackers can manage to stay under the radar for years. As a result, this can lead to theft of valuable intellectual property as well as malfunctioning of critical systems.