Unheralded GitHub Features Underpin Innovative Hacker Command-and-Control Infrastructure

  • Home
  • Unheralded GitHub Features Underpin Innovative Hacker Command-and-Control Infrastructure

Unheralded GitHub Features Underpin Innovative Hacker Command-and-Control Infrastructure

Researchers have recently uncovered a GitHub account exploiting two distinctive features of the platform to host stage-two malware.

Cybercriminals have increasingly been repurposing public services as their operational bases, housing malware within public code repositories or file-sharing services and executing command-and-control (C2) operations through messaging apps. In some instances, they demonstrate further ingenuity by utilizing software-as-a-service (SaaS) platforms in unconventional ways.

Adding to this trend is the actor identified as yeremyvalidslov2342, hereafter referred to as “Yeremy,” associated with multiple malicious packages identified by ReversingLabs on December 19. To clandestinely deliver payloads, Yeremy employed two hitherto unexploited GitHub features: “gists” and commits.

Innovative Exploitation of GitHub for Cyber Gains Typically, cybercriminals misuse public code repositories by publishing malicious files through disposable accounts—a straightforward yet crude approach, as administrators promptly identify and dismantle such accounts upon detection.

Yeremy adopted a more intricate strategy, initially releasing a series of packages to the Python Package Index (PyPI), another repository frequently targeted by adversaries. These packages posed as legitimate libraries for network proxying. However, concealed within their setup files was a Base64-encoded string containing a URL leading to a concealed GitHub “gist.”

Gists function as a lightweight version of Git repositories, enabling developers to store and share code snippets without creating entire projects. Gists can be public or “secret,” hidden from the wider public and unsearchable but still shareable with select individuals.

The covert gist embedded in the PyPI packages harbored stage-two malware. Notably, researchers found only one other instance of gists being used for similar purposes, documented in a 2019 Trend Micro report detailing a Slack backdoor.

Yeremy also had ties to another PyPI package featuring a malicious setup file. In this case, upon execution, the package cloned an existing, presumably legitimate, PySocks project from GitHub. However, the malware was not within the repository itself; rather, it was concealed within the commit message describing it.

Leveraging Public Services for Hacking While conducting cyberattacks from one’s infrastructure provides a degree of resiliency against account takedowns, utilizing shared and open-source resources offers the advantage of stealth.

“Some malware authors fear detection,” remarks Karlo Zanki, the author of the report. However, he adds that “if malicious code is properly obfuscated, public services aren’t adept at detecting it.”

Zanki notes the challenges faced by package repositories like npm and PyPI, receiving thousands of daily packages, and emphasizes the limited capacity for monitoring and analyzing them. Although some repositories employ traditional antivirus solutions, malicious packages often elude these basic defenses. Consequently, users of these packages must assume the responsibility of safeguarding themselves.

Public software services present several advantages for malicious actors. Creating an account on a popular website is quicker, easier, and more cost-effective than establishing traditional infrastructure. Site maintenance and uptime are managed by the supporting company, ensuring reliability. Traffic to well-known sites arouses less suspicion compared to connections to unfamiliar servers in distant locations. Additionally, if a malicious account is deactivated, the perpetrator can easily create a new one.