An unidentified party has been creating malicious GitHub repositories under the guise of a fake company that promises exploits for well-known products such as Chrome, Exchange and Discord, but actually infects users who download them.
In new research released Wednesday, VulnCheck researchers said they came across a malicious GitHub repository in early May that claimed it was a Signal zero-day. After reporting it to GitHub it was quickly taken down, but they continued to observe similar incidents throughout the rest of the month.
Whoever was doing it, they went to some length to establish a legend and cover for the repositories, posing as security researchers for a fake company called High Sierra Cyber Security and creating a network of accounts and Twitter profiles. They even used headshots of real security researchers from prominent security firms such as Rapid7.
The VulnCheck researchers said the attacker "put in a lot of effort to create all these fake personas, only to deliver malware." While it’s unclear if they’ve been successful, given their tenacious efforts over the past month, the researchers said the threat actor likely believes that they “will be” successful, eventually.
VulnCheck doesn't know if the activity is being carried out by a single individual or something more advanced, like an ongoing North Korean operation uncovered by Google TAG in January 2021 that has persistently targeted the information security community.
“Either way, security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub."
Threat actors have learned that they can poison code repositories and get unsuspecting developers to do their work for them, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said this threat actor has put a lot of effort into the social side, making the "owner" of the repo seem legitimate, while posting malware that's easily identified, rendering it far less effective.
“While very unlikely, on some levels it almost looks like part of a research project itself,” Parkin said. “But this highlights something that's become very apparent with public repositories: always, always, vet the code you download for your projects. Full stop."
Georgia Weidman, security architect at Zimperium, added that unfortunately, attacks like this that claim to be an exploit but instead attack the device that downloads it are as old as security vulnerabilities themselves.
“These sorts of unknown exploits, particularly if the source code is not available for review, should only be downloaded and run in an isolated virtual machine or system set up for malware analysis,” said Weidman. “New researchers should consider working with exploitation projects that are known to be vetted by the security community such as Metasploit as they are learning."