A place to cache linked articles (think custom and personal wayback machine)
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

7 个月前
12345678910111213141516171819202122232425262728293031323334353637383940
  1. title: GitHub comments abused to push malware via Microsoft repo URLs
  2. url: https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/
  3. hash_url: 81659ceed4b37a8c94095c3b743fe13a
  4. archive_date: 2024-04-22
  5. og_image: https://www.bleepstatic.com/content/hl-images/2021/05/10/GitHub-headpic.jpg
  6. description: A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with a Microsoft repository, making the files appear trustworthy.
  7. favicon: https://www.bleepstatic.com/favicon/bleeping.ico
  8. language: en_us
  9. <p><img alt="GitHub" src="https://www.bleepstatic.com/content/hl-images/2021/05/10/GitHub-headpic.jpg"></p>
  10. <p>A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy.</p>
  11. <p>While most of the malware activity has been based around the Microsoft GitHub URLs, this "flaw" could be abused with any public repository on GitHub, allowing threat actors to create very convincing lures.</p>
  12. <h2>Abusing GitHub's file upload feature</h2>
  13. <p>Yesterday, McAfee released a report on a <a href="https://www.bleepingcomputer.com/news/security/fake-cheat-lures-gamers-into-spreading-infostealer-malware/" target="_blank">new LUA malware loader</a> distributed through what appeared to be a legitimate Microsoft GitHub repositories for the "C++ Library Manager for Windows, Linux, and MacOS," known as <a href="https://github.com/microsoft/vcpkg" target="_blank" rel="nofollow noopener">vcpkg</a>, and the <a href="https://github.com/microsoft/STL" target="_blank" rel="nofollow noopener">STL library</a>.</p>
  14. <p>The URLs for the malware installers, shown below, clearly indicate that they belong to the Microsoft repo, but we could not find any reference to the files in the project's source code.</p>
  15. <pre>
  16. <code>https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
  17. https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
  18. </code></pre>
  19. <p>Finding it strange that a Microsoft repo would be <a href="http://urlhaus.abuse.ch/url/2760438/" target="_blank" rel="nofollow noopener">distributing malware since February</a>, BleepingComputer looked into it and found that the files are not part of <em>vcpkg</em> but were uploaded as part of a comment left on a commit or issue in the project.</p>
  20. <p>When leaving a comment, a GitHub user can attach a file (archives, documents, etc), which will be uploaded to GitHub's CDN and associated with the related project using a unique URL in this format: '<em>https://www.github.com/{project_user}/{repo_name}/files/{file_id}/{file_name}.</em>'</p>
  21. <p>For videos and images, the files will be stored under the <code>/assets/</code> path instead.</p>
  22. <p>Instead of generating the URL after a comment is posted, GitHub automatically generates the download link after you add the file to an unsaved comment, as shown below. This allows threat actors to attach their malware to any repository without them knowing.</p>
  23. <div>
  24. <figure class="image"><img alt="Download link auto-generated when adding a file to a comment" src="https://www.bleepstatic.com/images/news/security/g/github/github-file-uploads/github-comment-file-upload.jpg"><figcaption><strong>Download link auto-generated when adding a file to a comment</strong><br><em>Source: BleepingComputer</em></figcaption></figure></div>
  25. <p>Even if you decide not to post the comment or delete it after it is posted, the files are not deleted from GitHub's CDN, and the download URLs continue to work forever.</p>
  26. <p>As the file's URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.</p>
  27. <p>For example, a threat actor could upload a malware executable in <a href="https://github.com/NVIDIA/nvidia-installer" target="_blank" rel="nofollow noopener">NVIDIA's driver installer repo</a> that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the <a href="https://github.com/chromium/chromium" target="_blank" rel="nofollow noopener">Google Chromium source code</a> and pretend it's a new test version of the web browser.</p>
  28. <p>These URLs would also appear to belong to the company's repositories, making them far more trustworthy.</p>
  29. <p>Unfortunately, even if a company learns their repos are abused to distribute malware, BleepingComputer could not find any settings that allow you to manage files attached to your projects.</p>
  30. <p>Furthermore, you can only protect a GitHub account from being abused in this way and tarnishing your reputation by disabling comments. According to this <a href="https://docs.github.com/en/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" target="_blank" rel="nofollow noopener">GitHub support document</a>, you can only temporarily disable comments for a maximum of six months at a time.</p>
  31. <p>However, restricting comments can significantly impact a project's development as it will not allow users to report bugs or suggestions.</p>
  32. <p>Sergei Frankoff, of automated malware analysis service UNPACME, did a livestream on Twitch about this bug just last month, saying that threat actors were actively abusing it.</p>
  33. <p>As part of our research into this bug, BleepingComputer could only find one other repo, <a href="https://urlhaus.abuse.ch/url/2780254/" target="_blank" rel="nofollow noopener">httprouter</a>, abused to distribute malware in this way, and it was the same 'Cheater.Pro.1.6.0.zip' as seen in Microsoft's URLs.</p>
  34. <p>However, Frankoff told BleepingComputer that they <a href="https://research.openanalysis.net/github/lua/2024/03/03/lua-malware.html" target="_blank" rel="nofollow noopener">discovered a similar campaign in March</a> that utilizes the same LUA loader malware, which is called <a href="https://www.unpac.me/results/f3a0a729-afcf-4209-9323-fbf470be2835#/" target="_blank" rel="nofollow noopener">SmartLoader</a>, disguised as the Aimmy cheat software.</p>
  35. <p>Frankoff told BleepingComputer that SmartLoader is commonly installed alongside other payloads, such as the RedLine information-stealing malware.</p>
  36. <p>BleepingComputer contacted both GitHub and Microsoft on Thursday about this abuse but did not receive a response.</p>
  37. <p>At the time of this publication, the information-stealing malware is still being distributed through links associated with Microsoft' GitHub repository.</p>
  38. <p><em>Update 4/21/24: </em>GitHub has removed the malware linked to Microsoft's repositories. However, the malware associated with httprouter and Aimmy are still accessible.</p>