Threat actors are increasingly using GitHub for malicious purposes through novel methods, including abusing secret gists and issuing malicious commands via git commit messages.
Malware authors occasionally place their samples in services such as Dropbox, Google Drive, OneDrive, and Discord to host second-stage malware and evasion detection tools," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News.
But recently, we've observed an increasing use of the GitHub open-source development platform to host malware.
Threat actors are known to use legitimate public services to host malware and act as dead-spot resolvers to obtain the actual command-and-control (C2) address.
While using public resources for C2 does not make them immune to removal, they do offer the benefit of allowing threat actors to easily create attack infrastructures that are both cheap and reliable.
This technique is sneaky because it allows threat actors to mix their malicious network traffic with real communication within the compromised network, which makes it challenging to detect and respond to threats in an effective manner. As a result, compromised endpoints that communicate with GitHub repositories are less likely to be flagged as suspicious.
The misuse of GitHub Gist is indicative of the evolution of this trend. The gist itself is nothing more than a repository that provides an easy way for developers to share snippets with others.
It's worth noting at this stage that public gists show up in GitHub's discover feed, while secret gists, while not accessible through discover, can be shared with others by sharing their URLs.
However, if someone you don't know finds this URL, they'll also be able to see your gist," GitHub states in its documentation. "If you need to keep your ** out of prying eyes, you might want to create a private repository.
Another interesting aspect of the secret bullet points is that they don't show up in the author's GitHub profile page, enabling threat actors to use them as some sort of pasting service.
ReversingLabs said it found several PyPi packages — namely HttpRequestHub, PyhttpProxifier, LiBSock, LiBSoxi, and LiBSocks5 — that masquerade as libraries for working with the web, but contain a Base64-encoded URL pointing to a secret Gist hosted in a one-time GitHub account, without any public-facing projects.
For its part, the gist has base64-encoded commands that pass through the setup of fake packagesMalicious ** in the py file is resolved and executed in the new process.
Trend Micro had previously highlighted the use of secret gists in 2019 to send malicious commands to compromised hosts as part of a campaign to distribute a backdoor called SLUB (short for Slack and GitHub).
The second technique observed by Software Chain Security requires the use of version control system capabilities, relying on git commit messages to extract commands for execution on the system.
Zanki says that the pypi package called EasyHttpRequest contains malicious "clones of a specific Git repository from GitHub and examines that repository."'head'Whether a commit contains a commit message that starts with a specific string.
If so, it strips away this magic string and decodes the rest of the base64-encoded commit message, executing it as a python command in the new process. "The cloned github repository is a branch of the Pysocks project that looks legitimate, and it doesn't have any malicious git commit messages.
All fraudulent packages have now been removed from the Python Package Index (PYPI) repository.
Using GitHub as a C2 infrastructure is nothing new in itself, but abusing features like Git Gist and commit messages for command delivery is a new approach used by malicious actors," says Zanki.