A team of researchers from the Leiden Institute of Applied Mathematics and Computing Sciences discovered thousands of repos offering fake PoCs for GitHub Repositories Exploit, some containing malware.
Researchers use GitHub to share their proof-of-concept (PoC) exploits so others can verify them.
What Vulnerabilities Were Found
Nearly 48,000 repositories were examined for advertising exploits for vulnerabilities disclosed from 2017 through 2021. They found that most of these repositories used at least one of these methods to advertise their products: Analyzing the IP addresses used by the malware and Binary Analysis: Checking for viruses using VirusTotal.
Researchers found 150,734 unique Internet Protocol addresses (IPs), 2,864 of which were blocked by at least one antivirus program, and 1,522 of these IPs were detected as malicious in an analysis using VirusTotal. Out of these 1,522 malicious IPs, 1,069 appeared in the AbuseIPDB dataset. The full report is shown here.
The research team shared several examples of malicious code with us, but they were just a few out of hundreds of others still active and not yet removed from GitHub.
After analyzing several of these attacks, the researchers discovered various malware and harmful scripting languages, including remote access Trojans (RATs), Cobalt Strike, and others.
GitHub Malware Examples
One example of an interesting exploit chain involves BlueKeep (CVE-2019-0708), which fetches a VBS script from Pastebin.
The Trojan is called the Houdini Ransomware Attack Toolkit (HRAttK). It’s an old JavaScript-based ransomware toolkit that allows for remote command execution via the Command Prompt.
Another example is when they found a fake proof-of-concept (PoC) that stole system info, IP addresses, and browser agents.
A PowerShell PoC contains a malicious binary file in base64 format. A Python PoC includes a one-line script decodes a base 64-encoding payload flagged maliciously on Virustotal.
A fake BlueKeep vulnerability contains an executable file detected by most antivirus programs as malicious and has been used for targeted attacks against organizations in the past.
A script hidden inside a proof-of-concept (PoC) with no active malicious components could potentially be harmful if its author wants it to be.
How to Stay Safe from a GitHub Repositories Exploit
You shouldn’t blindly trust a GitHub repo from an unknown source. If you’re going to use something, you must check it out first.
Testers should be careful when downloading and running PoCs. They should perform as many checks as possible before execution.
Make sure you read the code you’re going to run on your or someone else’s computer before running it.
If the code is obfuscated and takes too long to analyze manually, isolate it in a sandbox environment and check your networks for any suspicious traffic from a GitHub Repositories Exploit.
It analyzed binaries using open-source intelligence tools such as VirusTotal. The researchers found all the malicious repositories and submitted them to GitHub. However, it may take months before they are entirely removed from GitHub.
