Posted on October 24, 2022 at 6:16 PM
Malware leads to thousands of GitHub repositories delivering fake PoC exploits
Researchers from the Leiden Institute of Advanced Computer Science have uncovered thousands of GitHub repositories that deliver fake proof-of-concept (PoC) exploits. The exploits are attributed to several vulnerabilities, such as malware.
Thousands of GitHub repositories deliver fake PoC exploits
GitHub is one of the leading code hosting platforms globally. Researchers use the platform to publish PoC exploits that assist cybersecurity researchers in verifying patches for vulnerabilities or assessing the vulnerability’s extent and nature.
A technical report from the researchers at the institute also pointed to the possibility of the malware infecting victim devices. The possibility of being infected with the malware compared to getting a PoC was as high as 10.3%, without taking into account prankware and the fakes that have been verified.
In the analysis, the researchers assessed more than 47,300 repositories marketing an exploit for a bug detected between 2017 and 2021. The researchers analyzed these repositories using three different mechanisms.
One of these mechanisms is an analysis of the IP address. The researchers compared the publisher IP of the publisher, the public blocklists, VT and AbuseIPDB. The other mechanism was a binary analysis. In this analysis, the researchers conducted VirusTotal checks on the executables and their hashes.
Lastly, the researchers deployed hexadecimal and base64 analysis. This mechanism involved the researchers decrypting the hidden files before completing the binary and IP checks.
The researchers extracted 150,734 IPs. Out of this number, 2,864 matched the entries for the blocklist, while 1,522 were categorized as malicious through antivirus scans performed using Virus Total. 1,069 of the extracted IPs were also found within the AbuseIPDB database.
The performed binary analysis also analyzed 6,160 executables, which showed that 2,164 malicious samples were hosted within the 1,398 repositories. 4,893 repositories out of the 47,313 GitHub repositories tested were seen to be malicious. The majority of these repositories involved vulnerabilities that date back to 2020.
The report has also indicated a small number of repositories containing fake PoCs deployed the malware. Nevertheless, around 60 other cases of fake repositories are still active, and GitHub is currently removing them.
A close look into some cases revealed harmful scripts and other types of malware. The threats included remote access trojans and Cobalt Strike. One of the interesting cases that the researchers have pointed to is a PoC for the CVE-2019-0708 vulnerability. This bug is known as “BlueKeep” and features a base64-obfuscated Python script that gets a VBScript from Pastebin.
The script in question is known as the Houdini RAT. It is an old trojan based on JavaScript. It uses the Windows CMD to run a remote command execution. In one of the cases, the researchers detected a fake PoC that stole system information, IP address, and user agent.
This PoC was initially created as a security experiment conducted by another researcher. When the researchers detected that the PoC contained the automated tool, it proved they were using the right approach.
How GitHub users can remain safe
The content promoted on GitHub is not moderated. Therefore, it is not advisable that users blindly trust a repository on GitHub that originates from an unverified source. Therefore, it is upon the user to review the content before they can use it.
People who test software have been advised to carefully scrutinize the PoCs they download and conduct many checks before executing these tests. One of the security researchers involved in the study, El Yadmani Soufian, said that all the testers needed to follow three crucial steps.
One of these steps is to review the code they plan to run carefully on one’s or customer’s networks. If this code is hidden and needs a lot of time to analyze manually, one can use it in a regulated environment while checking the network for any suspicious activity.
Thirdly, it is also advisable that users deploy open-source intelligence tools such as VirusTotal that will be used to analyze binaries. The researchers have reported the malicious GitHub repositories. However, it will take time before all these repositories are reviewed and removed from the platform. Many of these repositories are still available to the public.
Soufian has said that the study’s objective is to not just be a one-time on GitHub, but it can also be used as a trigger to support the development of an automated solution that could be used to detect malicious instructions within the uploaded code.
