Threat actors are increasingly using GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages.
“Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools,” ReversingLabs researcher Karlo Zanki said in a report.
“But recently, we have seen increased use of the GitHub open-source development platform to host malware.”
It is known that legitimate public services are used by threat actors to host malware and act as dead drop resolvers to obtain the real command-and-control (C2) address.
Although the use of public sources for C2 does not make them immune from takedown, they do provide the advantage of allowing threat actors to easily build an attack infrastructure that is both cheap and reliable.
This technique is stealthy because it allows threat actors to mix their malicious network traffic with genuine communications within a compromised network, making it challenging to detect and respond to threats effectively. As a result, an infected endpoint communicating with a GitHub repository is less likely to be flagged as suspicious.
The misuse of GitHub points to the development of this trend. Gists, which are nothing more than repositories themselves, provide an easy way for developers to share code snippets with others.
It is worth noting at this stage that public abstracts appear in GitHub’s Discover feed, while secret abstracts, although not accessible through Discover, can be shared with others by sharing its URL.
“However, if someone you don’t know gets the URL, they will also be able to see your summary,” GitHub writes in its documentation. “If you want to keep your code away from the public eye, you may want to create a private repository instead.”
Another interesting aspect of secret citations is that they are not displayed on the author’s GitHub profile page, allowing threat actors to take advantage of them as some kind of pastebin service.
ReversingLabs said it identified several PyPI packages – namely, httprequesthub, pyhttpproxifier, libsock, libproxy, and libsocks5 – that masquerades as libraries for handling network proxying, but contained a Base64-encoded URL pointing to a secret gist hosted in a throwaway GitHub account without any public-facing projects.
On the other hand, the gist contains base64-encoded commands that are parsed and executed in a new process through malicious code present in the setup.py file of the fake packages.
The use of secret gist to deliver malicious commands to compromised hosts was first exposed by Trend Micro in 2019 as part of a campaign to distribute a backdoor called SLUB (short for SLack and gitUB).
The second technique spotted by the software supply chain security firm involves the exploitation of version control system features, relying on Git commit messages to extract commands for execution on the system.
The PyPI package, named easyhttprequest, contains malicious code that “clones a specific git repository from GitHub and checks whether the ‘head’ commit of this repository contains a commit message that begins with a specific string ,” Zanki said.
“If it does, it removes that magic string and decodes the remaining base64-encoded commit message, executing it as a Python command in a new process.” The cloned GitHub repository appears to be a fork of the legitimate PySocks project, and does not contain any malicious git commit messages.
All fraudulent packages have now been removed from the Python Package Index (PyPI) repository.
“Using GitHub as C2 infrastructure is not new in itself, but abuse of features like Git Gists and commit messages for command delivery are new approaches used by malicious actors,” Zanki said.
