Alex Reid’s Post

Red Team and Offensive Tool Development | OSEP, OSCP, RTJC

3mo Edited

⚠ Be careful on GitHub! ⚠ Ran into a perfect example of why it is so important to scrutinize code that you download from GitHub. I was searching something on GitHub and filtering by 'Last Updated' and came across a 'UAC-Bypass-FUD' repo that looked interesting and was added in the last few hours. I downloaded the repo and went to open the Visual Studio solution file and noticed something odd... file explorer listed it as a screen saver file. This file is in reality a .scr file using the Right to Left Override (RTLO https://lnkd.in/eTqKGtkz) trick to appear to be a .sln file (Visual Studio solution). VirusTotal confirms that it is malware. This user on GitHub has 10 repos that all appear to be backdoored. These repos all use a github workflow file (.github/workflows/main.yml) that appears to update the repo every 5 - 60 minutes in order to 'bump' the repo to the top of search results. Watch out for this user and these repos: https://github.com/Mataod EDIT: I have identified two additional accounts that are using the same TTP's and appear to be the same threat actor: https://github.com/Maskiow https://lnkd.in/e3ArGkbg #malware #infosec #github #backdoor

50 Comments

Alex Reid

Red Team and Offensive Tool Development | OSEP, OSCP, RTJC

3mo

A .ru email address is leaked from a .git file:

26 Reactions

Eirik Sveen

Detection Engineer at Storebrand

3mo

This looks like the exact same gang that I ran into in November, were the backdoored repo was being reposted here on LinkedIn. Same "UAC-Bypass-FUD" repo with RTLO on the ".sln" file and the same .ru email used in the .git file to fake activity on the repo.

9 Reactions

Abhinav D.

Ex-trainee in Offensive Cybersecurity at Cyberik Global, UK | Globally ranked in Top 3% in THM

3mo

Git hub must implement some sort of sandbox environment to see what these uploaded repos look like when executed.

6 Reactions

Kyle Kelly

Supply Chain Security

3mo

Another area to consider; public package repositories e.g., PyPi and NPM. Imagine instead of downloading this and seeing the files you were downloading a third-party package. You’ll never see the code; but you download it and likely call it, or try to call it, in your code. This just gets accelerated thanks to copy/pasting from stackoverflow, ChatGPT, etc. APTs, especially North Korea, has been targeting popular packages and embedding malware into them to target developers and steal information. We (the tech industry) do a poor job of enabling developers to know what packages introduce what risks and how. Platforms like deps.dev are handy, but not a silver bullet by any means.

12 Reactions

Dainen Dunn

Stobaugh Group Lead Advanced Threat Intelligence Researcher - Windows - Android - Linux - IoT - Reverse Engineering - Red Team - Software Engineer - Malware Research

3mo

I have encountered this quite a lot searching certain terms on GitHub. Mostly I've found that searching terms like RAT, crypter fud, and various darknet tooling terms will lead you to repos like this. Simple solution to avoid this one is ALWAYS look at the solution file name, a dead giveaway is seeing the very end of the solution file name being rcs.sln. Once you see that in a repo, report it (if GitHub has a reporting feature) and never look back. Another one to watch out for is Nuget package backdoors. I documented in a public disclosure earlier this year on how a nuget package can be infected with a malicious powershell script, then once installed into the visual studio project, will deploy the payload without any user interaction other than installing the package. Classic software supply chain infection!

Andy G.

Adversarial Engineering Lead - UK/EU at Lares Consulting

3mo

https://blog.zsec.uk/cve-2020-1350-honeypoc/ don't trust everything on github, I published HoneyPoC a few years ago now but it highlighted people run things blindly easily. https://blog.zsec.uk/honeypoc-release/

4 Reactions

Alexandre BLANC Cyber Security

Advisor - ISO/IEC 27001 and 27701 Lead Implementer - Named security expert to follow on LinkedIn in 2024 - MCNA - MITRE ATT&CK - LinkedIn Top Voice 2020 in Technology - All my content is sponsored

3mo

This is why security controls must be implemented all the way, especially in software supply chain.

2 Reactions

Arnim Rupp

3mo

Two more of the same style. Just reported them to GitHub but they really need some scanner to find and remove this crap automatically. Shouldn't be that hard. https://github.com/MastersTms/Pure-Crypter-ADVANCED-INJECTION-TECHNOLOGY-64BIT-32BIT-Anti-Delete https://github.com/Tikosktaki/Pure-Crypter-ADVANCED-INJECTION-TECHNOLOGY-64BIT-32BIT-Anti-Delete

Arnim Rupp

3mo

Another example, 4 months old, 18 stars, 7 forks: https://github.com/ft-seek/Muck-Crypter-FUD-AES-Algoritm

Jason Bain

Rio Hondo College Alumni

3mo

This terrifies me. as a programmer I never want to download something from GitHub again. ILL just make it myself.

1 Reaction

See more comments

To view or add a comment, sign in

More Relevant Posts

Mostafa El Sheemy

INFORMATION Security (GRC Team) | Information Security Awareness Trainer | Python Programmer | NSE 2 |Certified Risk Manager (CRM) | Certified Credit Analyst
3mo
Report this post
Just a reminder that any code repository can host evil minds .. so be careful when you embed any of those codes into your program and always keep track of those libraries #SSDLC #programing #githubrepository #informationsecurity #informationsecurityawareness #awareness
Alex Reid

Red Team and Offensive Tool Development | OSEP, OSCP, RTJC
3mo Edited

⚠ Be careful on GitHub! ⚠ Ran into a perfect example of why it is so important to scrutinize code that you download from GitHub. I was searching something on GitHub and filtering by 'Last Updated' and came across a 'UAC-Bypass-FUD' repo that looked interesting and was added in the last few hours. I downloaded the repo and went to open the Visual Studio solution file and noticed something odd... file explorer listed it as a screen saver file. This file is in reality a .scr file using the Right to Left Override (RTLO https://lnkd.in/eTqKGtkz) trick to appear to be a .sln file (Visual Studio solution). VirusTotal confirms that it is malware. This user on GitHub has 10 repos that all appear to be backdoored. These repos all use a github workflow file (.github/workflows/main.yml) that appears to update the repo every 5 - 60 minutes in order to 'bump' the repo to the top of search results. Watch out for this user and these repos: https://github.com/Mataod EDIT: I have identified two additional accounts that are using the same TTP's and appear to be the same threat actor: https://github.com/Maskiow https://lnkd.in/e3ArGkbg #malware #infosec #github #backdoor
Like Comment
To view or add a comment, sign in
Karin Portillo

Director Software Development | Building Software Products
8mo
Report this post
I try and keep my extensions in VS Code and other IDEs to a bare minimum. This is scary. What if I have an extension that is widely used by the developer community, but it’s not even verified, or it has vulnerabilities?
John Hammond

Cybersecurity Researcher || jh.live/email
8mo Edited

I wondered, "How many Visual Studio Code extensions could be hacked?" ... so I started a small project to try and find out! Scraping ALL the available extensions from the VS Marketplace, downloading source code & hunting for vulnerabilities! Bounty plz? 😜 https://buff.ly/3LuwDU9 Huge thanks to Snyk for sponsoring this video and their continued support of the channel! Snyk recently shared their 2023 State of Open Source Security Report, and it parallels well with this experiment here -- take a look! https://buff.ly/3Pp4SNP
Like Comment
To view or add a comment, sign in
👾 Rob Bos

Continuously improving with DevOps
6mo
Report this post
Lots of updates in NuGet 6.8! The most important one is a scan against the GitHub Advisory Database on every dotnet restore! Making it a lot easier to see issues when you build your application. #Security Maintaining Security with Ease - The #NuGet Blog https://buff.ly/3QGRp4J

Announcing NuGet 6.8 - Maintaining Security with Ease - The NuGet Blog

https://devblogs.microsoft.com/nuget
Like Comment
To view or add a comment, sign in
Prasad Wijesuriya

#CybersecurityConsultant #CountryManager #InformationSecurityProfessional #ChannelLeader #PublicSpeaker #SecurityEvangelist
8mo
Report this post
🚨 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐏𝐚𝐭𝐜𝐡 𝐓𝐮𝐞𝐬𝐝𝐚𝐲 𝐔𝐩𝐝𝐚𝐭𝐞 🚨 Microsoft has just released patches for a whopping 59 vulnerabilities, including 5 critical-severity issues across Azure, .NET / Visual Studio, and Windows. This month's update covers a wide range of products, but Windows takes the lead with 21 CVEs. Notably, Exchange administrators, take note! Four vulnerabilities from the September release were actually issued in August but went unnoticed. Microsoft warns that these could be exploited sooner rather than later. One CVE that caught my attention is CVE-2023-38146, an Important-severity Windows Themes Remote Code Execution Vulnerability. While themes might not be the first thing that comes to mind, this flaw could be exploited via a specially crafted .theme file. It's crucial to stay vigilant! At patch time, two issues are known to be exploited in the wild. CVE-2023-36761 is an Important-class information-disclosure vulnerability in Word accessible through Preview Pane; CVE-2023-36802 is an Important-class elevation of privilege flaw in Windows (specifically, in the Microsoft Streaming Service Proxy component). An additional 12 vulnerabilities in Windows and Exchange are by the company’s estimation more likely to be exploited in the next 30 days. Stay updated, patch your systems, and keep an eye on these critical vulnerabilities. Cybersecurity is an ongoing battle, and it's crucial to stay one step ahead. Complete details are available at https://lnkd.in/gubaDRme 💻 🛡️ #PatchTuesday #Cybersecurity #MicrosoftUpdates #ThreatResearch #Sophos

A 59-CVE Patch Tuesday with something for nearly everyone

https://news.sophos.com/en-us/
Like Comment
To view or add a comment, sign in
Hany Soliman

Muslim | Sr. Cyber Security Engineer , CRTE | ISO 27k LA | APISEC | OAPT | OBBH2.0 | CEH | DevSecOps
9mo
Report this post
PowerSharpPack Many useful offensive CSharp Projects wraped into Powershell for easy usage. Why? In my personal opinion offensive Powershell is not dead because of AMSI, Script-block-logging, Constrained Language Mode or other protection features. Any of these mechanisms can be bypassed. Since most new innovative offensive security projects are written in C# I decided to make them usable in powershell as well. https://lnkd.in/d9BBPRDy

GitHub - S3cur3Th1sSh1t/PowerSharpPack

github.com
Like Comment
To view or add a comment, sign in
Demandify Media - A Trescon Company

5,114 followers
10mo
Report this post
The npm registry for the Node.js JavaScript runtime environment is susceptible to what’s called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation. “A npm package’s manifest is published independently from its tarball,” Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. “Manifests are never fully validated against the tarball’s contents. #github https://lnkd.in/dYi8pcxE #engineering #environment #javascript #project #malware

Node.js Users Beware: Manifest Confusion Attack Opens Door to Malware - Security Curated

https://securitycurated.com
Like Comment
To view or add a comment, sign in
Karan singh

I am Hackveloper
5mo
Report this post
for more information follow me:👍Karan singh#window #reflection #string 👍 instagram: 👍 https://lnkd.in/dqEsSVXV 👍 youtube: 👍 https://lnkd.in/d-ZNMm9k 👍 #cybersecurity #ethicalhacking #whitehathacker #linux #scripting #html #hackingtools

Lab: Exploiting cross-site scripting to capture passwords | Web Security Academy

portswigger.net
Like Comment
To view or add a comment, sign in
khalil shreateh

Security Researcher, Ethical Hacker, Internet and Social Media Safety Tutor, Social Media Consultant
3mo
Report this post
Microsoft Windows Defender Backdoor JS.Relvelshe.A Detection Mitigation Bypass #shreateh #exploit #hacker #computer #cybersecurity #blackleaders #technology #vulnerability #vulnerabilityisstrength #vulnerable #infosec #security #tech #hacking #programming #hackers #coding #safety #cybersec

Microsoft Windows Defender Backdoor JS.Relvelshe.A Detection Mitigation Bypass

khalil-shreateh.com
Like Comment
To view or add a comment, sign in
Shikhar Rai

Security Operations @Syncron
9mo
Report this post
🚀 Excited to announce the launch of Payload Generator (Pg v1.0 Official Release) 🎉 Are you a security professional or an ethical hacker looking for a powerful tool to generate customized payloads? Look no further! 🛡️ Payload Generator, developed by the skilled hacker str1ke007, empowers you to create a wide range of payloads for penetration testing and ethical hacking purposes. 💻💼 Check it out now on GitHub: 👉 https://lnkd.in/gnhzGhg9 🔥 Features 🔥 • Choose from a variety of payloads for Windows and Linux platforms 🪶💻 • Generate payloads with custom IP and port configurations 🛠️📡 • Seamlessly switch between x86 and x64 architectures 🔄🔢 • Asynchronous programming for a smooth user experience 🌐🚀 • Cross-platform compatibility on Windows, macOS, and Linux 🌟🖥️ 👉 Try it out and let me know your feedback! Happy hacking! 😄💻🔓 #PayloadGenerator #EthicalHacking #PenetrationTesting #SecurityTools #Python #HackingTools #CyberSecurity #OpenSource #GitHub #TechCommunity #AsynchronousProgramming #Empowerment #CodingLife #CodingCommunity #HackersUnite #BugHunting #InformationSecurity #CTF #CyberHeroes #CodeNinja #TechUpdates #LinkedinPost #ShareTheKnowledge 🚀🔐💻

GitHub - str1ke007/simple_payload_gen

github.com

2 Comments
Like Comment
To view or add a comment, sign in

8,878 followers

109 Posts

View Profile Follow

Alex Reid’s Post

More Relevant Posts

Explore topics