The practice of using public services as command-and-control (C2) infrastructure is a common tactic among malicious actors. ReversingLabs has observed this in various malware campaigns over the years, with authors placing their samples in services such as Dropbox, Google Drive, OneDrive, and Discord to host second-stage malware and evade detection tools. Recently, there has been an uptick in the use of the GitHub open source development platform for hosting malware. Two novel techniques that have been detected involve the abuse of GitHub Gists and issuing commands through git commit messages.

One prevalent use case for public services being used for malicious purposes is the fetching of the real C2 address. In addition, infostealers published to open source package repositories have been using services like Dropbox and Discord to host two-stage malware. There are several reasons why malware authors choose to use public services as C2 infrastructure, including the fact that network communication with these services is less likely to raise suspicion than communication to an obscure domain or IP address. Furthermore, running C2 infrastructure on platforms like GitHub is simpler and eliminates the need for cybercriminals to operate their own servers.

One of the new techniques identified is the use of GitHub Gists for hosting two-stage malicious payloads. Gists are a feature on GitHub that allows users to share code snippets, and can be public or secret. In a recent incident, several PyPI packages masquerading as network proxying libraries contained a URL pointing to a secret Gist that hosted a Base64 encoded string, which then fetched and executed malicious commands from the Gist.

Another technique involves the use of git commit messages for command delivery. A malicious package discovered on the easyhttprequest PyPI package cloned a specific git repository from GitHub and checked for a “magic string” at the beginning of the commit message. If it found the string, it decoded the Base64 encoded commit message and executed it as a Python command in a new process.

The ReversingLabs threat research team believes that the same malware author is likely behind both of these campaigns, and they expect to see more innovative GitHub tricks in the future. It is important for developers and application security teams to be vigilant in their approach to the open source ecosystem, as attackers are becoming more skilled in their deployment of malware. Modern tooling that employs complex binary analysis is essential in providing comprehensive software supply chain security.

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles