techleakszone 🔥 8 Visits

Diverse Opportunities: Two Collaborative GitHub Projects Spark Interest from Separate Developers

Diverse Opportunities: Two Collaborative GitHub Projects Spark Interest from Separate Developers

Emerging Malware Campaign Utilizes GitHub for Distribution

In a curious twist of events, two separate individuals reached out to inquire about dubious GitHub projects that appear to be spreading malware under the guise of legitimate patches. The first contact, referred to as “Tito,” sent a direct message regarding a comment on GitHub claiming to have found a patch for a project called “synara.” The second, identified as “Robert Z,” sent an email concerning a similar claim on a different GitHub project. This article delves deeper into the situation and reveals the alarming tactics being employed.

Unraveling the Campaign

Upon investigating these claims, it became apparent that a series of files showcasing different names have been circulating online, including:

  • hb_patch_v1112
  • registry_patch_v0.1.7
  • rep_fix_v1.zip
  • sodium_fix_v1
  • log_fix_patch

These files appear to have been posted by individuals creating accounts on GitHub, who then comment on open issues with assertions that they have located a “patch.” This activity, which seems likely to be automated, has a more sinister underlying motive; the so-called patch is actually malware.

Timeline of the Campaign

Initial observations suggest that this malware campaign began around July 7th, rapidly gaining traction through various GitHub platforms. The rapid dissemination of this malware demonstrates the effectiveness of the approach, leveraging GitHub's open-source community to reach potential victims.

Technical Examination of the Malware

Diving into the technical specifics, the malware in question is written in Go. Upon execution, the binary contacts a remote host, which resolves to the messaging platform Telegram. Incredibly, the description of the Telegram channel includes a link to a website where data is exfiltrated.

File Name Description
hb_patch_v1112 Claimed patch file
registry_patch_v0.1.7 Claimed patch for registry issues
rep_fix_v1.zip Zip file claiming to fix repository issues
sodium_fix_v1 Patch claiming to address Sodium related issues
log_fix_patch Patch for logging issues

Observations on a Dynamic Strategy

This strategy enables the threat actors to rapidly update their Telegram channel description if the website they have linked to is taken down. This functionality mimics a bootleg DNS resolver, providing flexibility to the attackers as they can quickly pivot in the face of countermeasures.

Identification of the Malware Variant

Based on YARA identifiers, the malware has been identified as “StealC,” suggesting it is part of a larger, possibly developing campaign. The integration of GitHub spam tactics combined with a makeshift DNS resolver on Telegram is an innovative, albeit malicious, approach for malware distribution.

Moreover, the deliberation of using Telegram as a command-and-control (C2) mechanism is striking; the platform's traditionally slower response to takedown requests could serve as a layer of insulation for the threat actors, allowing them to operate undetected for longer periods.

Conclusion

This unfolding situation highlights not only the ingenuity behind modern malware distribution methods but also the vulnerabilities inherent in established platforms like GitHub. As developers and users engage with open-source projects, they must remain vigilant, employing robust security practices to safeguard against such evolving threats. The collaboration between cybersecurity professionals is crucial in addressing and neutralizing these emerging risks, ensuring the integrity of the open-source ecosystem is maintained.



Yesterday two different people contacted me about two different projects on GitHub. "Tito" DMd me about someone making a comment on GitHub claiming to have a patch for "synara" (Image 1) "Robert Z" emailed about something similar on a different GitHub project (image 2). Interesting. Upon further investigation it turns out this exact file has been discovered online named: - hb_patch_v1112 - registry_patch_v0.1.7 - rep_fix_v1.zip - sodium_fix_v1 - log_fix_patch blah blah blah (image 3) Basically, someone is creating accounts on GitHub, going to open issues, and leaving a comment saying they've found a patch (it's likely automated, but whatever). The patch is malware. It appears this campaign began around July 7th (yesterday) and is making its rounds pretty quickly. When you look inside (hehe silly reference) it's a program written in Go. When the binary detonates it queries a remote host which resolves to ... Telegram. The Telegram channel description specifies a website. The website in the Telegram description is where the payload exfiltrates code too. They're doing it this way because they can quickly change the Telegram channel description if the website they specify is taken down. It's basically a bootleg DNS resolver (image 4). Anyway, this is StealC (based on YARA identifiers). This is (probably) a new malware campaign by someone using StealC. I like it. Very cool usage of GitHub spam combined with a bootleg ass DNS resolver on Telegram. It probably helps because I doubt Telegram is quick to take action with takedown requests. Yesterday two different people contacted me about two different projects on GitHub. "Tito" DMd me about someone making a comment on GitHub claiming to have a patch for "synara" (Image 1) "Robert Z" emailed about something similar on a different GitHub project (image 2). Interesting. Upon further investigation it turns out this exact file has been discovered online named: - hb_patch_v1112 - registry_patch_v0.1.7 - rep_fix_v1.zip - sodium_fix_v1 - log_fix_patch blah blah blah (image 3) Basically, someone is creating accounts on GitHub, going to open issues, and leaving a comment saying they've found a patch (it's likely automated, but whatever). The patch is malware. It appears this campaign began around July 7th (yesterday) and is making its rounds pretty quickly. When you look inside (hehe silly reference) it's a program written in Go. When the binary detonates it queries a remote host which resolves to ... Telegram. The Telegram channel description specifies a website. The website in the Telegram description is where the payload exfiltrates code too. They're doing it this way because they can quickly change the Telegram channel description if the website they specify is taken down. It's basically a bootleg DNS resolver (image 4). Anyway, this is StealC (based on YARA identifiers). This is (probably) a new malware campaign by someone using StealC. I like it. Very cool usage of GitHub spam combined with a bootleg ass DNS resolver on Telegram. It probably helps because I doubt Telegram is quick to take action with takedown requests.