Attackers Finding Novel Ways to Abuse GitHub: ReversingLabs – Source: securityboulevard.com

Threat actors are finding new ways to take advantage of GitHub in hopes of tricking developers into putting malicious code into their software and sending to users downstream, according to researchers with ReversingLabs.

Code repositories like GitHub and Python Package Index (PyPI) are popular targets for hackers who want to abuse the software supply chain to more easily and cheaply spread their malware while evading detection. In a report this week, Karlo Zanki, a reverse engineer at ReversingLabs, wrote that bad actors have gotten adept at using public services as command-and-control (C2) infrastructure, with the cybersecurity vendor seeing such efforts in various malware campaigns in recent years.

“Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive and Discord to host second stage malware and sidestep detection tools,” Zanki wrote. “However, the ReversingLabs threat research team has recently observed the increasing use of the GitHub open source development platform for hosting malware.”

Most recently, the researchers discovered two new methods being used to leverage GitHub for nefarious reason, with the same threat actor likely behind both. The first involves abusing GitHub gists two host two-stage malicious payloads.

Bad Actors Abusing Gists

Gists are simples for developers to share snippets of code with one another and offer a number of features that make them attractive to cybercriminals. They can be public or secret, and unlike public gists, secret gists don’t appear in GitHub’s Discover feed. They’re not searchable by anyone but the author of the secret gist, and then only when the author is logged on.

But they aren’t private, so if a developer sends the URL of a secret gist to someone else, that person will be able to see it.

“Another nice characteristic of secret Gists is that they don’t end up being visible in the GitHub profile page of the author,” Zanki wrote. “From an attacker’s perspective, this makes them usable as a kind of a pastebin service which doesn’t raise much suspicion.”

ReveringLabs researchers found several PyPI packages – httprequesthub, pyhttpproxifier, libsock, libproxy, and libsocks5 – that appeared to be libraries for handling network proxying and contained a Base64 encoding string that seemed to have to do with telemetry data. However, they actually held a URL that pointed to a secret gist.

“Malware authors used Base64 encoding to obfuscate the true purpose of this string and make it harder for security tools to detect it as suspicious,” he wrote. “Base64 encoding is often used to encode some binary data before it gets transferred over the network. Nevertheless, an experienced eye will quickly recognize that the first few characters of this concrete string get decoded to ‘http’ – almost surely the beginning of an URL, and therefore a red flag for a threat analyst.”

The malicious code was hidden in the setup.py file and encoded the URL, through which is also fetches Base64 encoded Python commands, of which are executed using the new process.

Zanki added that “using Gists for delivery of malicious commands to infected machines isn’t a frequently seen technique,” though the ReversingLabs crew was able to track down a mention of a similar technique by Trend Micro in 2019.

Using Git Commit Messages

The other malware type involved fetching commands from git commit messages. The malware, found in the easyhttprequest PyPI package and – like the first example – hidden in the setup.py file, abused the version control system features. The malicious package uses a unique tactic for delivering commands.

Once it installs on a target’s system, “the malicious code from this package clones a specific git repository from GitHub and checks if the ‘head’ commit of this repository contains a commit message that starts with a specific string,” he wrote. “If it does, it strips that magic string and decodes the rest of the Base64 encoded commit message, executing it as a Python command in a new process.”

That said, the code in this instance is executing any malicious actions. Zanki said it’s unclear whether this is a mistake or the malware’s creator did it on purpose.

Still, “based on an identical execution technique, similar abuse of uncommon GitHub features, and the impersonation of similar networking utilities – ReversingLabs researchers believe that the same malware author is likely behind both of these campaigns, he wrote.

All of the malicious PyPI packages have been taken down, but Zanki wrote that he expects more hackers will find new ways to exploit GitHub for their nefarious purposes, adding that the author of the malware in these instances is still publishing new malware samples.

Software Supply Chain a Growing Target

The discovery of these novel malware types aimed at GitHub also serve as a reminder that developers must be aware of the risks that come in open-source software development, particularly as attackers increasingly target the supply chain.

The software supply chain has become a soft target for cybercriminals. The software being developed today includes large numbers of off-the-shelf and open-source components and organizations now are using such tools as software bills-of-materials (SBOMs) to push back.

But the threat is still there. In his annual State of the Software Supply Chain report released in October, Sonatype found that there had been twice as many software supply chain attacks – 245,032 malicious packages were discovered – in 2023 that 2019 to 2022 combined and one in eight open-source downloads pose known and avoidable risks – 96% of vulnerable download releases had a fixed version available.

ReversingLabs’ Zanki wrote that, when looking at the threat to code repositories, “as attackers are becoming more skilled in their deployment of malware, it is essential that developers and application security teams are able to differentiate between malicious and legitimate packages on these platforms.”