December 19, 2023 at 08:39AM
Threat actors are using GitHub for malicious activities, including hosting malware and delivering malicious commands via secret Gists and git commit messages. The use of legitimate public services allows threat actors to bypass detection tools. These novel methods can blend malicious traffic with genuine communications, making it harder to detect and respond to threats effectively.
Key takeaways from the meeting notes:
– Threat actors are increasingly utilizing GitHub for malicious activities, including abusing secret Gists and issuing malicious commands via git commit messages.
– Malware authors are using legitimate public services like Dropbox, Google Drive, OneDrive, and Discord to host second-stage malware and evade detection tools.
– The technique of using GitHub for hosting malware allows threat actors to blend their malicious network traffic with genuine communications, making it challenging to detect and respond to threats effectively.
– The abuse of GitHub Gists and the utilization of secret gists as a pastebin service were highlighted as novel approaches by malicious actors.
– Various PyPI packages were found to masquerade as libraries for handling network proxying, containing Base64-encoded URLs pointing to secret Gists hosted in throwaway GitHub accounts.
– Malicious code was embedded in setup.py files of counterfeit packages, facilitating the execution of Base64-encoded commands in a new process.
– Exploitation of version control system features, particularly git commit messages, was observed as a technique to extract and execute commands on the system.
Overall, the meeting notes shed light on the evolving tactics of threat actors in leveraging GitHub and other platforms for hosting and delivering malicious code, requiring heightened vigilance and proactive measures to mitigate these security threats.