Malware Leveraging Public Infrastructure Like GitHub on the Rise

Cyber Threat Summary:
Researchers from ReversingLabs have observed an increase in threat actors using GitHub open source development platform to host malware. The use of public services as command-and-control (C2) infrastructure isn’t a revolutionary technique for malicious actors, but the researchers highlight two novel techniques deployed on GitHub. The first abuses GitHub Gists, and the second issues commands through git commit messages.

According to the researchers, there are several reasons why a malware author would want to use public services for their C2 infrastructure. The first is network communications with the infected host is less likely to raise suspicions. Secondly, standing up and running C2 infrastructure on platforms like GitHub is simpler than cybercriminals operating their own server. “By using public services, the attacker needs only to create an account to access the service, and then publish the desired content to their repository. It falls to the service itself to manage communications and ensure uptime and so on. This eliminates the time and money malware authors need to spend on the maintenance of their attack infrastructure.”

Security Officer Comments:
In their blog, they note two unique cases where threat actors are abusing GitHub features. The first one used GitHub Gists for hosting two-stage malicious payloads. Gists are a GitHub feature that provides a simple way to share code snippets with other developers, and can be public or secret. Another nice characteristic of secret Gists is that they don’t end up being visible in the GitHub profile page of the author. From an attacker's perspective, this makes them usable as a kind of a pastebin service which doesn’t raise much suspicion.

“In this incident, several PyPI packages presented themselves as libraries for handling network proxying, and contained a Base64 encoded string, allegedly related to telemetry data, but actually containing a URL, pointing to a secret Gist. Malware authors used Base64 encoding to obfuscate the true purpose of this string and make it harder for security tools to detect it as suspicious” (Reversing Labs, 2023).

The second technique abuses version control system features. In this case, malicious code was hidden in setup[.]py and eventually leads to command delivery. After installing on the victim’s machine, the code from the package will clone a specific git repository. If the “head” commit of this repository contains a commit message that starts with a specific string, it strips that magic string and decodes the rest of the Base64 encoded commit message, executing it as a Python command in a new process.

Suggested Correction(s):
This is not the first time threat actors have used GitHub as C2 infrastructure, but using features like Git Gists is a novel approach yet seen by the researchers. ReversingLabs says they have not previously observed malware using such methods of command delivery, nor are they aware of third-party reports documenting such activity.

Due to the impersonation of specific packages and similar networking utilities, ReversingLabs believes that the same malware author is behind both of these campaigns. GitHub does remove malicious packages as they are reported, but the researchers warn that threat actors will continue to leverage new techniques to bypass protections.

“Our discoveries of these novel attack methods serve as yet another reminder hat developers must remain wary of the threats that lie within the open source ecosystem. As attackers are becoming more skilled in their deployment of malware, it is essential that developers and application security teams are able to differentiate between malicious and legitimate packages on these platforms. This is why software producers should utilize modern tooling that employs complex binary analysis, which provides comprehensive software software supply chain security” (Reversing Labs, 2023).