A now-removed GitHub repository that marketed a WordPress software to publish posts to the web content material administration system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials.
The malicious exercise is a part of a broader assault marketing campaign undertaken by a menace actor, dubbed MUT-1244 (the place MUT refers to “mysterious unattributed threat”) by Datadog Safety Labs, that entails phishing and several other trojanized GitHub repositories internet hosting proof-of-concept (PoC) code for exploiting identified safety flaws.
“Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated,” researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn stated in an evaluation shared with The Hacker Information.
It is no shock that safety researchers have been a sexy goal for menace actors, together with nation-state teams from North Korea, as compromising their methods might yield details about potential exploits associated to undisclosed safety flaws they might be engaged on, which might then be leveraged to stage additional assaults.
In recent times, there has emerged a pattern the place attackers try and capitalize on vulnerability disclosures to create GitHub repositories utilizing phony profiles that declare to host PoCs for the failings however really are engineered to conduct knowledge theft and even demand cost in trade for the exploit.
The campaigns undertaken by MUT-1244 not solely contain making use of trojanized GitHub repositories but additionally phishing emails, each of which act as a conduit to ship a second-stage payload able to dropping a cryptocurrency miner, in addition to stealing system data, personal SSH keys, atmosphere variables, and contents related to particular folders (e.g., ~/.aws) to File.io.
One such repository was “github[.]com/hpc20235/yawpp,” which claimed to be “Yet Another WordPress Poster.” Previous to its takedown by GitHub, it contained two scripts: One to validate WordPress credentials and one other to create posts utilizing the XML-RPC API.
However the software additionally harbored malicious code within the type of a rogue npm dependency, a package deal named @0xengine/xmlrpc that deployed the identical malware. It was initially printed to npm in October 2023 as a JavaScript-based XML-RPC server and shopper for Node.js. The library is now not accessible for obtain.
It is value noting that cybersecurity agency Checkmarx revealed final month that the npm package deal remained energetic for over a 12 months, attracting about 1,790 downloads.
The yawpp GitHub challenge is claimed to have enabled the exfiltration of over 390,000 credentials, seemingly for WordPress accounts, to an attacker-controlled Dropbox account by compromising unrelated menace actors who had entry to those credentials by means of illicit means.
One other technique used to ship the payload entails sending phishing emails to teachers by which they’re tricked into visiting hyperlinks that instruct them to launch the terminal and copy-paste a shell command to carry out a supposed kernel improve. The invention marks the primary time a ClickFix-style assault has been documented towards Linux methods.
“The second initial access vector that MUT-1244 utilizes is a set of malicious GitHub users publishing fake proof-of-concepts for CVEs,” the researchers defined. “Most of them were created in October or November [2024], have no legitimate activity, and have an AI-generated profile picture.”
A few of these bogus PoC repositories have been beforehand highlighted by Alex Kaganovich, Colgate-Palmolive’s world head of offensive safety purple staff, in mid-October 2024. However in an attention-grabbing twist, the second-stage malware is thru 4 other ways –
- Backdoored configure compilation file
- Malicious payload embedded in a PDF file
- Utilizing a Python dropper
- Inclusion of a malicious npm package deal “0xengine/meow”
“MUT-1244 was able to compromise the system of dozens of victims, mostly red teamers, security researchers, and anyone with an interest in downloading PoC exploit code,” the researchers stated. “This allowed MUT-1244 to gain access to sensitive information, including private SSH keys, AWS credentials, and command history.”
