Malware Download |TOP| Github

On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself.

SIRT routinely receives and triages reports of bad actors abusing GitHub repositories to actively host malware or attempting to use the GitHub platform as part of a command and control (C2) infrastructure. But this report was different. The owners of the repositories were completely unaware that they were committing backdoored code into their repositories.

Malware Download Github

DOWNLOAD 🔥 https://shoxet.com/2y5HtJ 🔥

The malware is capable of identifying the NetBeans project files and embedding malicious payload both in project files and build JAR files. Below is a high -evel description of the Octopus Scanner operation:

We started our analysis with a sample of the Octopus Scanner malware, without taking into account any initial infection vectors. As we can see in the VirusTotal dashboard, this malware has a low detection rate of 4 out of 60, so it could easily go unnoticed.

This auto starts the second stage payload for any desktop session for that user. The malware uses the file system separator to decide how to proceed. Note that it treats Linux and MacOS in the same way, but the infection only works on Linux systems.

The sample we are analyzing belongs to version 3.2.01 of this malware. The versioning scheme is an indication that this malware was developed in a structured way. When we take a closer look we can see that it will run the octopus.OctopusScanner.main() method, which will perform the following actions:

A NetBeans project build consists of multiple steps but the Octopus Scanner malware is only interested in the pre-jar and post-jar tasks. The pre-jar tasks provide hooks into the build at the point where all Java classes are compiled but before they are zipped into a final JAR artifact. The post-jar tasks provide hooks into the build at the point the JAR has actually been created.

At this point in the infection chain, the malware was able to infect both the build artifacts as well as any project dependencies, but it did not drop any files to persist in the underlying system yet.

The actual system infection process will be carried out by cache.dat. As with biologic viruses, most malware attempts to spread as broadly as possible. Infecting systems that were already infected would be moot. Infecting build artifacts is a means to infect more hosts since the infected project will most likely get built by other systems and the build artifacts will probably be loaded and executed on other systems as well.

Since our malware sample uses a hardcoded name for the first stage dropper (cache.dat) and because it is always placed in a static location (/nbproject), we were able to query GitHub repositories for any infected projects for the known variants of the malware. By doing so we were able to harvest four different samples of this malware:

This was probably one of the earliest, if not the first, version of the malware since this version does not infect the classes in the JAR file being built. Instead, it infects the system directly. Therefore this version will only spread through tainted repository cloning and building, while the other samples will also spread when any of the resulting build artifacts are loaded and used. Therefore, for this particular version, the malware was not backdooring the build classes and the diagram is slightly different:

This version is practically identical to bcb745a7dae7c5f85d07b7e9c19d030a and likely a minor release to reduce hash-based detection. By making minor changes in the build artifacts of a malware, the authors can throw off the hash-based detection that many AV engines and EDR solutions rely on.

Being able to access this decrypted data will give us a good idea of what the malware is actually doing. In order to get to this data right after it gets decrypted, we used a Java instrumentation agent that modifies the Bytecode of the class responsible for decrypting the blob (b.b) right before it actually gets loaded into the JVM.

While we have seen many cases where the software supply chain was compromised by hijacking developer credentials or typosquatting popular package names, a malware that abuses the build process and its resulting artifacts to spread is both interesting and concerning for multiple reasons.

In an OSS context, it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked, and used on potentially many different systems. The actual artifacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact.

It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today. If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed.

After this discovery, Falcon Complete analysts examined similar activity across a number of customers to see if they could identify other attempts to install this malicious software. They found an interesting instance where the hijacked GitHub download chain was not a factor; instead a user had simply downloaded the malicious file through the shared fake malicious GitHub link and then downloaded the fake NetSupport binary. This was interesting because it was likely the result of an unsuspecting admin sharing malware thinking it was a legitimate admin tool. (See Figure 5.)

After identifying the source of the malicious software, Falcon Complete analysts turned their attention to how the malware was ending up in legitimate GitHub repositories. They reviewed the wiki of the trusted repository involved in the original detection, which revealed numerous successful attempts by new GitHub accounts to edit the wiki (see Figure 6).

Closer inspection revealed that a malicious actor had been able to edit the wiki to point to malware by changing the main download link. This confirmed that this actor was changing one of the main download links from the GitHub wiki to point to malware, which then redirects to an associated GitHub account to download the fake installer. (See Figure 7.)

The only infrastructure this threat actor was managing was likely the NetSupport Manager servers. But eventually the threat actor started hosting malware directly on GitHub instead of having to go through the NetSupport remote admin tool. Falcon Complete also saw instances of different types of malware, namely Grind3wald and Raccoon Stealer, being hosted on these same GitHub repositories.

Figure 15 highlights the basic flow of this attack, in which the threat actor uses the weakness in GitHub wiki permissions to introduce numerous different types of malware to unsuspecting users (often administrators) as they download their legitimate tools through GitHub.

Hey!! I'm just here to make people on here aware that there is a particular user that goes by the name NightfallGT who publishes harmful malware on the platform. I'm purely here to make people aware.

If your code depends on a package with a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible. If your code uses malware, you need to replace the package with a secure alternative.

Additionally, GitHub can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would reduce the security of your project. This allows you to spot and deal with vulnerable dependencies or malware before, rather than after, they reach your codebase. For more information, see "Reviewing dependency changes in a pull request."

GitHub detects vulnerable dependencies and malware in public repositories and displays the dependency graph, but does not generate Dependabot alerts by default. Repository owners or people with admin access can enable Dependabot alerts for public repositories. Owners of private repositories, or people with admin access, can enable Dependabot alerts by enabling the dependency graph and Dependabot alerts for their repositories.

When GitHub identifies a vulnerable dependency or malware, we generate a Dependabot alert and display it on the Security tab for the repository and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.

Note: GitHub's security features do not claim to catch all vulnerabilities and malware. We actively maintain GitHub Advisory Database and generate alerts with the most up-to-date information. However, we cannot catch everything or tell you about known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough dependency review when necessary.

I have googled and searched on stack overflow but have found no clear answer to this. What steps do sites like github and bitbucket take to ensure that public repositories are safe and free of malware? It has only just occurred to me how blindly I will follow online tutorials/guides and run git clone commands from sources I do not know or understand.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example: 17dc91bb1f