A intelligent risk marketing campaign is abusing GitHub repositories to distribute malware focusing on customers who frequent an open supply venture repository or are subscribed to e-mail notifications from it.
A malicious GitHub consumer opens a brand new “issue” on an open supply repository falsely claiming that the venture incorporates a “security vulnerability” and urges others to go to a counterfeit “GitHub Scanner” area. The area in query, nevertheless, will not be related to GitHub and tips customers into putting in Home windows malware.
To make issues much more attention-grabbing, customers and contributors to such repositories obtain these “IMPORTANT!” e-mail alerts from professional GitHub servers every time a risk actor information a brand new difficulty on a repository, making this phishing marketing campaign appear extra convincing.
Bogus “security vulnerability” e-mail alerts
GitHub customers have been receiving e-mail notifications this week urging them to deal with a bogus “security vulnerability” in a venture repo that they’ve contributed to, or are in any other case subscribed to.
Customers are suggested to go to “github-scanner[.]com” to study extra in regards to the alleged safety difficulty.
To make the lure extra convincing, the e-mail originates from professional GitHub e-mail tackle, notifications@github.com, and is signed “Best regards, Github Security Team” within the message physique.
![Intelligent 'GitHub Scanner' marketing campaign abusing repos to push malware 1 GitHub email notifications alerting to bogus security vulnerabiltiy](https://www.bleepstatic.com/images/news/u/1164866/2024/Sep/github-scanner/email-min.jpg)
(Cody Nash)
The area, github-scanner[.]com will not be affiliated with GitHub and is getting used to ship malware to guests.
Upon visiting the area, customers are greeted with a false captcha prompting them to “verify you are human.”
![Intelligent 'GitHub Scanner' marketing campaign abusing repos to push malware 2 fake captcha](https://www.bleepstatic.com/images/news/u/1164866/2024/Sep/github-scanner/domain.jpg)
(BleepingComputer)
As quickly a consumer faucets “I’m not a robot,” JavaScript code within the background copies malicious code to their clipboard.
A subsequent display screen prompts the consumer to execute the Home windows Run command (by urgent the Home windows+R key mixture) and pasting (Ctrl+V) the contents within the “Run” utility immediate.
![Intelligent 'GitHub Scanner' marketing campaign abusing repos to push malware 3 Captcha asks users to copy paste text](https://www.bleepstatic.com/images/news/u/1164866/2024/Sep/github-scanner/clipboard.jpg)
The behind-the-scenes JavaScript code, proven beneath, is fetching one other file obtain.txt, additionally hosted on github-scanner[.]com. The file incorporates PowerShell directions to obtain a ‘l6E.exe’ Home windows executable from the identical area, put it aside as “SysSetup.exe” in a brief listing, and execute it.
![Intelligent 'GitHub Scanner' marketing campaign abusing repos to push malware 4 Malicious JavaScript code](https://www.bleepstatic.com/images/news/u/1164866/2024/Sep/github-scanner/code.jpg)
(BleepingComputer)
As recognized by a number of antivirus engines by now, this ‘l6E.exe’ [VirusTotal analysis] is a trojan and comes outfitted with anti-detection and persistence capabiliteis.
BleepingComputer noticed that the executable makes an attempt to contact a number of suspicious domains, most of that are down on the time of writing:
eemmbryequo.store
keennylrwmqlw.store
licenseodqwmqn.store
reggwardssdqw.store
relaxatinownio.store
tendencctywop.store
tesecuuweqo.store
tryyudjasudqo.store
Triggered by GitHub ‘Points’
As to how these e-mail notifications are being triggered? The key to that’s GitHub “Issues” function which is being abused by risk actors to flood open supply repositories and push this marketing campaign.
Menace actors create pseudonomous GitHub consumer accounts and use these to open a brand new “Issue” on an open supply venture main others to go to the counterfeit GitHub Scanner area.
![Intelligent 'GitHub Scanner' marketing campaign abusing repos to push malware 5 GitHub issues filed on multiple repositories](https://www.bleepstatic.com/images/news/u/1164866/2024/Sep/github-scanner/gh-issue.jpg)
The contents of this Challenge shall be circulated as e-mail alerts, from official GitHub servers, to those that have subscribed to the open supply repository in query.
Customers ought to chorus from opening hyperlinks and attachment in such emails and report the corresponding “issues” to GitHub for investigation.
This incident demonstrates yet another manner by which vastly fashionable platforms like GitHub might be abused by nefarious customers.
April this 12 months, a complicated marketing campaign abused GitHub feedback to push malware by way of URLs that gave the impression to be related to Microsoft’s official repository.
Because of Cody Nash for the tip off.