GitHub on Thursday solicited the comments of the security research community on its new, apparently stricter policies for posting malware and proof-of-concept exploits. A new strand of malware uses Word files with macros to download a PowerShell script from GitHub. This PowerShell script further downloads a legitimate image file from image hosting service Imgur to.
Security researchers have found a new malware that finds and backdoors open-source NetBeans projects hosted on the GitHub web-based code hosting platform to spread to Windows, Linux, and macOS systems and deploy a Remote Administration Tool (RAT).
The malware dubbed Octopus Scanner by researchers at the GitHub Security Lab compromises developers' computers by infecting their NetBeans repositories after planting malicious payloads within JAR binaries, project files and dependencies, later spreading to downstream development systems.
'Infecting build artifacts is a means to infect more hosts since the infected project will most likely get built by other systems and the build artifacts will probably be loaded and executed on other systems as well,' the researchers explain.
Endermanch Github Malware
GitHub’s Security Incident Response Team (SIRT) was notified by security researcher JJ on March 9 about GitHub repositories that were serving as malware delivery points.
Virus Repository Github
While investigating this malware, GitHub Security Lab researchers found 26 open source projects compromised by Octopus Scanner that inadvertently served up its backdoored code to any developers that would fork or clone the repos.
Inner workings of an open-source supply chain malware
Once the infected repos are cloned or forked on development systems they get infected and the information-stealing malware will backdoor all the NetBeans project builds it can find by injecting a dropper in any built JAR files.
This dropper will subsequently allow Octopus Scanner to gain 'local system persistence and would subsequently spawn a Remote Administration Tool (RAT), which connects to a set of C2 servers.'
Unfortunately, the malware's C2 servers were already down when GitHub started the investigation, therefore there are no details on what tasks the attackers carried out on compromised systems using the dropped RAT.
Github Malware Repo
After it infects a developer's system, Octopus Scanner will:
Virus Download Github
• Identify user's NetBeans directory
• Enumerate all projects in the NetBeans directory
• Copy malicious payload cache.dat to nbproject/cache.dat
• Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build
• If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.
The malware is also designed to block new builds from replacing the compromised one by keeping its malicious build artifacts in place.
GitHub found four samples of this malware while querying repositories on the platform for any infected projects, one that looked like the initial version, first submitted to VirusTotal in August 2018, detected by a single anti-malware engine, and designed to 'only spread through tainted repository cloning and building.'
The other three came with additional features and capabilities, including the ability to also 'spread when any of the resulting build artifacts are loaded and used.'
Supply chain attacks
By using the Octopus Scanner malware, the attackers were able to directly target developers and gain access to highly sensitive information such as additional projects they are working on, their production environments, as well as database passwords, and various other critical data.
This would make it very easy for them to quickly and easily gain access to critical systems within the developers' organization after they commit backdoored code into their org's repositories.
'It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today,' the GitHub Security Lab researchers explain.
'If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed.'
Joke Malware Github
Last month, the GitHub SIRT team also warned users of a phishing campaign that attempted to collect and steal their credentials using landing pages mimicking GitHub's login page.
Malwarebytes Premium Github
After taking over accounts, the attackers would immediately download private repositories' contents, including 'those owned by organization accounts and other collaborators.'
On May 6, BleepingComputer reported about a threat actor known as Shiny Hunters who stole and leaked hundreds of GBs of data after gaining access to Microsoft's private GitHub repos.