Threat actors are increasingly finding new ways to exploit GitHub for malicious purposes, including abusing secret gists and issuing malicious commands via git commit messages.
“Malware authors occasionally place their samples in services such as Dropbox, Google Drive, OneDrive, and Discord to host second-stage malware and evasion detection tools,” ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News .”
“But recently, we have observed an increase in the use of the GitHub open source development platform to host malware.”
Legitimate public services are known to be used by threat actors to host malware and act as dead center resolvers to obtain actual command and control (C2) addresses.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
While using public resources for C2 does not make them immune to attacks, they do provide the benefit of allowing threat actors to easily create an attack infrastructure that is both cheap and reliable.
This technique is tricky because it allows threat actors to mix their malicious network traffic with real communications within a compromised network, making it difficult to effectively detect and respond to threats. Therefore, compromised endpoints communicating with GitHub repositories are less likely to be flagged as suspicious.
The misuse of GitHub gist shows how this trend is evolving. Gists themselves are a repository that provide developers with an easy way to share snippets of code with others.
It’s worth noting at this stage that public gist appears in GitHub’s Discover feed, while secret gist, although not accessible through Discover, can be shared with others via a shared URL.
“However, if someone you don’t know discovers the URL, they will also be able to see your gist,” GitHub notes in its documentation. “If you need to keep your code away from prying eyes, you may want to create a private repository.”
Another interesting aspect of the secret gist is that they do not appear in the author’s GitHub profile page, enabling threat actors to use them as some sort of Pastebin service.
ReversingLabs said it discovered several PyPI packages, namely httprequesthub, pyhttpproxifier, libsock, libproxy and libsocks5, that pretend to be libraries for handling network proxies but contain a Base64-encoded URL pointing to a server hosted in a disposable GitHub account. Secret points without any information. Projects for the public.
For its part, the gist is the use of Base64-encoded commands that are parsed and executed in a new process via malicious code present in the fake package’s setup.py file.
Trend Micro previously highlighted the use of secret gist in 2019 to send malicious commands to infected hosts as part of a campaign to distribute a backdoor known as SLUB (short for SLack and githUB).
The second technique observed by Software Supply Chain Security takes advantage of version control system capabilities and relies on git commit messages to extract the commands executed on the system.
According to Zanki, a PyPI package called easyhttprequest contains malicious code that “clones a specific git repository from GitHub and checks whether the ‘head’ commit of that repository contains a commit message starting with a specific string.”
“If it is, it strips the magic string and decodes the rest of the Base64-encoded commit message and executes it as a Python command in a new process.” The copied GitHub repository is a legitimate-looking PySocks project branch, and it doesn’t have any malicious git commit messages.
All scamware kits have now been removed from the Python Package Index (PyPI) repository.
“Using GitHub as C2 infrastructure is not new per se, but abusing features like Git Gists and commit messages for command delivery is a new approach used by malicious actors,” Zanki said.
