Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
The growing popularity of malicious methods was studied and disclosed by researchers.
Carlo Zanki, a cybersecurity expert at ReversingLabs, has discovered a new trend that many cybercriminals have been using lately. The essence of the trend is the malicious use of the GitHub platform to distribute malware.
In his report, Zanki noted that previously malware authors often hosted instances of their malware on platforms such as Dropbox, Google Drive, OneDrive, and Discord. But recently, there has been an increase in the use of GitHub as a direct host for malicious software.
Cybercriminals have always preferred public services for hosting and operating malware. Their use makes the malicious infrastructure difficult to disable, because no one will block Google Drive entirely, just to block the operation of some dangerous botnet.
Public services also allow attackers to mix their malicious network traffic with legitimate communications on a compromised network, which makes it even more difficult to detect threats and respond to them in a timely manner.
Thus, the abuse of the Gist code snippet storage service on GitHub indicates the evolution of this trend. What can be more convenient for a dark hacker than storing their malicious code in such mini-repositories and safely delivering it to a compromised host on demand?
ReversingLabs identified several packages on the PyPI platform — "httprequesthub", "pyhttpproxifier", "libsock", "libproxy" and "libsocks5" — that masquerade as proxy network processing libraries, but contain a Base64-encoded URL leading to a secret Gist hosted in a one-time GitHub account without public keys. projects.
The researchers also found another method of exploiting GitHub, which is actively used by attackers. The version control system functions are already involved here. In it, hackers rely on messages with a history of changes by clicking the "Git commit" button to extract commands from them by malware and then execute them on the infected system.
The key point is that a malware hosted on an already compromised computer scans the commit history of a particular repository for specific messages. These commit messages contain hidden commands that are then extracted by the software and executed on the victim's computer.
Zanki points out that the mere use of GitHub as a C2 infrastructure is by no means a novelty, but the abuse of features such as Gists and Git commit represents innovative approaches that have been increasingly used by cybercriminals in recent times.
The use of popular and reliable platforms such as GitHub as an infrastructure for cybercrime is a very disturbing trend, demonstrating the ingenuity of attackers.
Although the services themselves are secure and reliable, cybercriminals constantly find various loopholes for introducing malicious code and C2 commands. This is a signal for both companies and users to take action — they need to be more vigilant and use modern threat protection tools.
Carlo Zanki, a cybersecurity expert at ReversingLabs, has discovered a new trend that many cybercriminals have been using lately. The essence of the trend is the malicious use of the GitHub platform to distribute malware.
In his report, Zanki noted that previously malware authors often hosted instances of their malware on platforms such as Dropbox, Google Drive, OneDrive, and Discord. But recently, there has been an increase in the use of GitHub as a direct host for malicious software.
Cybercriminals have always preferred public services for hosting and operating malware. Their use makes the malicious infrastructure difficult to disable, because no one will block Google Drive entirely, just to block the operation of some dangerous botnet.
Public services also allow attackers to mix their malicious network traffic with legitimate communications on a compromised network, which makes it even more difficult to detect threats and respond to them in a timely manner.
Thus, the abuse of the Gist code snippet storage service on GitHub indicates the evolution of this trend. What can be more convenient for a dark hacker than storing their malicious code in such mini-repositories and safely delivering it to a compromised host on demand?
ReversingLabs identified several packages on the PyPI platform — "httprequesthub", "pyhttpproxifier", "libsock", "libproxy" and "libsocks5" — that masquerade as proxy network processing libraries, but contain a Base64-encoded URL leading to a secret Gist hosted in a one-time GitHub account without public keys. projects.
The researchers also found another method of exploiting GitHub, which is actively used by attackers. The version control system functions are already involved here. In it, hackers rely on messages with a history of changes by clicking the "Git commit" button to extract commands from them by malware and then execute them on the infected system.
The key point is that a malware hosted on an already compromised computer scans the commit history of a particular repository for specific messages. These commit messages contain hidden commands that are then extracted by the software and executed on the victim's computer.
Zanki points out that the mere use of GitHub as a C2 infrastructure is by no means a novelty, but the abuse of features such as Gists and Git commit represents innovative approaches that have been increasingly used by cybercriminals in recent times.
The use of popular and reliable platforms such as GitHub as an infrastructure for cybercrime is a very disturbing trend, demonstrating the ingenuity of attackers.
Although the services themselves are secure and reliable, cybercriminals constantly find various loopholes for introducing malicious code and C2 commands. This is a signal for both companies and users to take action — they need to be more vigilant and use modern threat protection tools.
