techleakszone 🔥 10 Visits

Two Distinct GitHub Projects Spark Interest from Independent Contributors

Two Distinct GitHub Projects Spark Interest from Independent Contributors

Emerging Malware Campaign Exploits GitHub for Distribution

In a notable incident reported yesterday, two individuals independently reached out regarding suspicious activities on different GitHub projects. "Tito" contacted via direct message about a comment claiming to have a patch for "synara," while "Robert Z" shared similar concerns regarding another project. Both cases illuminate an alarming trend in cybersecurity—an emerging malware campaign utilizing GitHub as a distribution platform.

Anatomy of the Threat

A deeper investigation revealed that several files associated with this malware have surfaced online, all with distinct names, including:

  • hb_patch_v1112
  • registry_patch_v0.1.7
  • rep_fix_v1.zip
  • sodium_fix_v1
  • log_fix_patch

It appears that an individual or group is creating accounts on GitHub to engage in a seemingly benign activity—commenting on open issues with claims of having found a patch. However, upon further examination, these patches are revealed to be malicious in nature.

File Name Description
hb_patch_v1112 Potential malware file associated with the campaign
registry_patch_v0.1.7 Malicious patch for registry modifications
rep_fix_v1.zip Suspicious zip file containing potentially harmful code
sodium_fix_v1 Unknown patch likely linked to malware activities
log_fix_patch File suggested to be infectious

Timeline and Technical Insights

This campaign appears to have initiated around July 7, 2023, rapidly gaining traction and spreading through various channels. The malware itself is a program written in Go. When executed, the binary connects to a remote host linked to Telegram.

More critically, the Telegram channel associated with the malware features a description that specifies a website. The purpose of this website is to enable the payload to exfiltrate data. This methodology allows the perpetrators to adapt quickly; should the designated website be taken down, they can effortlessly alter the Telegram channel description to redirect to a new address. In essence, this creates a makeshift DNS resolver to facilitate their operations.

Identifying the Malware: StealC

According to YARA identifiers, this emerging threat is identified as "StealC," hinting at its intended functionality—stealing information. This adaptive strategy leveraging GitHub spam tactics along with a makeshift DNS resolver through Telegram showcases a novel approach in the realm of cybercrime. The use of Telegram as a hosting ground for command-and-control operations poses unique challenges; the platform is notoriously slow to respond to takedown requests, emboldening the attackers.

Conclusion

The rise of this malware campaign underscores the intricate ways malicious entities exploit legitimate platforms to infiltrate user systems. The integration of GitHub, typically a hub for software development and collaboration, in such nefarious activities marks a concerning trend for developers and security professionals alike. Staying vigilant and fostering collaboration among cybersecurity practitioners will be essential in mitigating threats like these in the future.



Yesterday two different people contacted me about two different projects on GitHub. "Tito" DMd me about someone making a comment on GitHub claiming to have a patch for "synara" (Image 1) "Robert Z" emailed about something similar on a different GitHub project (image 2). Interesting. Upon further investigation it turns out this exact file has been discovered online named: - hb_patch_v1112 - registry_patch_v0.1.7 - rep_fix_v1.zip - sodium_fix_v1 - log_fix_patch blah blah blah (image 3) Basically, someone is creating accounts on GitHub, going to open issues, and leaving a comment saying they've found a patch (it's likely automated, but whatever). The patch is malware. It appears this campaign began around July 7th (yesterday) and is making its rounds pretty quickly. When you look inside (hehe silly reference) it's a program written in Go. When the binary detonates it queries a remote host which resolves to ... Telegram. The Telegram channel description specifies a website. The website in the Telegram description is where the payload exfiltrates code too. They're doing it this way because they can quickly change the Telegram channel description if the website they specify is taken down. It's basically a bootleg DNS resolver (image 4). Anyway, this is StealC (based on YARA identifiers). This is (probably) a new malware campaign by someone using StealC. I like it. Very cool usage of GitHub spam combined with a bootleg ass DNS resolver on Telegram. It probably helps because I doubt Telegram is quick to take action with takedown requests. Yesterday two different people contacted me about two different projects on GitHub. "Tito" DMd me about someone making a comment on GitHub claiming to have a patch for "synara" (Image 1) "Robert Z" emailed about something similar on a different GitHub project (image 2). Interesting. Upon further investigation it turns out this exact file has been discovered online named: - hb_patch_v1112 - registry_patch_v0.1.7 - rep_fix_v1.zip - sodium_fix_v1 - log_fix_patch blah blah blah (image 3) Basically, someone is creating accounts on GitHub, going to open issues, and leaving a comment saying they've found a patch (it's likely automated, but whatever). The patch is malware. It appears this campaign began around July 7th (yesterday) and is making its rounds pretty quickly. When you look inside (hehe silly reference) it's a program written in Go. When the binary detonates it queries a remote host which resolves to ... Telegram. The Telegram channel description specifies a website. The website in the Telegram description is where the payload exfiltrates code too. They're doing it this way because they can quickly change the Telegram channel description if the website they specify is taken down. It's basically a bootleg DNS resolver (image 4). Anyway, this is StealC (based on YARA identifiers). This is (probably) a new malware campaign by someone using StealC. I like it. Very cool usage of GitHub spam combined with a bootleg ass DNS resolver on Telegram. It probably helps because I doubt Telegram is quick to take action with takedown requests.