Description
Security researchers have recently found thousands of GitHub repositories providing fraudulent proof of concept (PoC) exploits that are embedded with malware.
Summary
On the 15th of October 2022, researchers from the Leiden Institute of Advanced Computer Science discovered that thousands of GitHubs repositories contained fake PoC exploits with some of them embedded with malware. GitHub is one of the largest code hosting platforms used by researchers and programmers to host and share code and projects and as such PoC exploits are shared as well. A proof of concept (PoC) exploit is a non-harmful attack against a computer or network that is not meant to cause harm, but to show security weaknesses within software. Identifying these issues allows companies to patch vulnerabilities and protect themselves against attacks.
The research conducted analyzed over 47,300 repositories distributing exploits for vulnerabilities disclosed between 2017 and 2021. Analysis was done in three area: IP address analysis which compares the PoC”s publisher IP to public blocklists, VirusTotal and AbuseIPDB; Binary analysis which runs VirusTotal checks on the provided executables and their hashes and Hexadecimal and Base64 analysis which decodes obfuscated files before performing binary and IP checks. Of the 150,734 unique IPs extracted and analyzed, 2,864 were presented in blocklist entries, 1,522 were detected as malicious inantivirus scans on Virus Total, and 1,069 of them were flagged in the AbuseIPDB database. For the binary analysis a set of 6,160 executables were examined and revealed a total of 2,164 malicious hash samples hosted in 1,398 repositories. In total, 4,893 repositories out of the 47,313 tested were deemed malicious.
The malware distributed by the PoCs included malware and scripts ranging from remote access trojans to Cobalt Strike. The researchers revealed some of malware including a script for Houdinis RAT embedded in a PoC for CVE-2019-0708 also known as BlueKeep, an info-stealer that collects system information, IP address, and user agent embedded in a fake PoC, a script encoded in base64 hiding in a PowerShell PoC and a Cobalt Strike executable embedded in a fake BlueKeep PoC.
Remediation
GitHub is open for everyone on the internet to upload content, however GitHub does not seem to monitor or enforce any strict criteria for these uploads. It would therefore be unwise to trust a repository, especially from an unverified source. It is therefore recommended to follow the steps below to carefully inspect any PoCs before executing them:
Read and analyze carefully the code you are about to run on your device and network.
If the code is too obfuscated and needs too much time to analyze manually, sandbox it in an environment (ex: an isolated Virtual Machine) and check your network for any suspicious traffic.
Use open-source intelligence tools like VirusTotal to analyze binaries.
PDF Download: GitHub repositories deliver fraudulent PoCs with malware.pdf
References
Toulas, B (2022, October 13). Thousands of GitHub repositories deliver fake PoC exploits with malware. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/
El Yadmani, S., The, R., and Gadyatskaya, O. (2022, October 15) How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub. Retrieved from arXiv.org
https://arxiv.org/pdf/2210.08374.pdf