⚠ Be careful on GitHub! ⚠ Ran into a perfect example of why it is so important to scrutinize code that you download from GitHub. I was searching something on GitHub and filtering by 'Last Updated' and came across a 'UAC-Bypass-FUD' repo that looked interesting and was added in the last few hours. I downloaded the repo and went to open the Visual Studio solution file and noticed something odd... file explorer listed it as a screen saver file. This file is in reality a .scr file using the Right to Left Override (RTLO https://lnkd.in/eTqKGtkz) trick to appear to be a .sln file (Visual Studio solution). VirusTotal confirms that it is malware. This user on GitHub has 10 repos that all appear to be backdoored. These repos all use a github workflow file (.github/workflows/main.yml) that appears to update the repo every 5 - 60 minutes in order to 'bump' the repo to the top of search results. Watch out for this user and these repos: https://github.com/Mataod EDIT: I have identified two additional accounts that are using the same TTP's and appear to be the same threat actor: https://github.com/Maskiow https://lnkd.in/e3ArGkbg #malware #infosec #github #backdoor
This looks like the exact same gang that I ran into in November, were the backdoored repo was being reposted here on LinkedIn. Same "UAC-Bypass-FUD" repo with RTLO on the ".sln" file and the same .ru email used in the .git file to fake activity on the repo.
Git hub must implement some sort of sandbox environment to see what these uploaded repos look like when executed.
Another area to consider; public package repositories e.g., PyPi and NPM. Imagine instead of downloading this and seeing the files you were downloading a third-party package. You’ll never see the code; but you download it and likely call it, or try to call it, in your code. This just gets accelerated thanks to copy/pasting from stackoverflow, ChatGPT, etc. APTs, especially North Korea, has been targeting popular packages and embedding malware into them to target developers and steal information. We (the tech industry) do a poor job of enabling developers to know what packages introduce what risks and how. Platforms like deps.dev are handy, but not a silver bullet by any means.
I have encountered this quite a lot searching certain terms on GitHub. Mostly I've found that searching terms like RAT, crypter fud, and various darknet tooling terms will lead you to repos like this. Simple solution to avoid this one is ALWAYS look at the solution file name, a dead giveaway is seeing the very end of the solution file name being rcs.sln. Once you see that in a repo, report it (if GitHub has a reporting feature) and never look back. Another one to watch out for is Nuget package backdoors. I documented in a public disclosure earlier this year on how a nuget package can be infected with a malicious powershell script, then once installed into the visual studio project, will deploy the payload without any user interaction other than installing the package. Classic software supply chain infection!
https://blog.zsec.uk/cve-2020-1350-honeypoc/ don't trust everything on github, I published HoneyPoC a few years ago now but it highlighted people run things blindly easily. https://blog.zsec.uk/honeypoc-release/
This is why security controls must be implemented all the way, especially in software supply chain.
Two more of the same style. Just reported them to GitHub but they really need some scanner to find and remove this crap automatically. Shouldn't be that hard. https://github.com/MastersTms/Pure-Crypter-ADVANCED-INJECTION-TECHNOLOGY-64BIT-32BIT-Anti-Delete https://github.com/Tikosktaki/Pure-Crypter-ADVANCED-INJECTION-TECHNOLOGY-64BIT-32BIT-Anti-Delete
Another example, 4 months old, 18 stars, 7 forks: https://github.com/ft-seek/Muck-Crypter-FUD-AES-Algoritm
This terrifies me. as a programmer I never want to download something from GitHub again. ILL just make it myself.
Red Team and Offensive Tool Development | OSEP, OSCP, RTJC
3moA .ru email address is leaked from a .git file: