Who Could Be Behind the Latest GitHub-Hosted Malware Infrastructure?

GitHub is a well-liked code repository utilized by virtually all software program builders. Anyone can entry it to share their code with virtually anybody . Unfortunately, not each GitHub person is reliable. It has, in reality, been used to host malware at the very least a few occasions.

In March 2018, as an illustration, cybercriminals hosted cryptocurrency mining malware on GitHub. More lately, a researcher reportedly used the repository to host several malicious projects. WhoisXML API risk researcher Dancho Danchev took a better have a look at one such marketing campaign utilizing six domains and subdomains as jump-off factors.

Danchev’s findings led to the discovery of:

  • More than 90 lively IP resolutions of the domains and subdomains recognized as indicators of compromise (IoCs), 4 of which have been dubbed “malicious” by varied malware engines
  • More than 300 probably related domains, as they shared the IoCs’ IP addresses, 14 of which have been believed to be malware hosts
  • Close to twenty further domains that used the similar strings as the IoCs with totally different top-level area (TLD) extensions, certainly one of which was deemed “malicious”

A pattern of the further artifacts obtained from our evaluation is on the market for obtain from our website.

What Reports Say

Publicly out there studies revealed six internet properties as IoCs—ovzl[.]jl9544519[.]pr46m[.]vps[.]myjino[.]ru, ovz1[.]9147167707[.]1xdez[.]vps[.]myjino[.]ru, myjino[.]ru, kolobkoproms[.]ug, m[.]ancard[.]ru, and reshenie2014[.]ru. We used these as the start line for our in-depth investigation.

Analysis and Findings

Screenshot lookups for these pages confirmed that three of them proceed to host reside albeit insconpiscous content material.

Note the similarity between their content material, although. They all appear to be pointing to myjino[.]ru.

A bulk WHOIS lookup for the internet properties recognized as IoCs revealed that every one of them have been bulk-registered in the U.S. on 5 October 2011, with R01-RU as their registrar.

DNS lookups for the domains and subdomains confirmed that they resolved to 92 distinctive IP addresses, all geolocated in Russia and managed by Internet service supplier (ISP) JSC RTComm.RU. Given that WHOIS and DNS data all level to Russia, might the perpetrators be based mostly there?

According to malware checks on Threat Intelligence Platform (TIP), 4 of the IP deal with resolutions—195[.]161[.]62[.]100, 81[.]177[.]139[.]113, 81[.]177[.]141[.]241, and 81[.]177[.]135[.]89—have been dubbed “malicious” by varied malware engines.

To discover extra probably related artifacts, we used the IP addresses as reverse IP lookup search phrases. That led to the discovery of 307 further domains, 14 of which have been tagged “malware hosts” based mostly on a bulk TIP malware verify. These properties have been:

  • superdocs[.]ru
  • melindas[.]ru
  • kinksdoc[.]ru
  • nodeline[.]xyz
  • sidelink[.]xyz
  • yahooads[.]ru
  • aols-billing[.]us
  • financeyahoo[.]hk
  • photoyahoo[.]us
  • yahoomessenger[.]us
  • yahoopersonals[.]us
  • yahoogeocities[.]us
  • yahoodigital[.]us
  • aolbillupdate[.]us

We additionally appeared for added domains by way of Domains & Subdomains Discovery utilizing the strings “myjino,” “kolobkoproms,” “ancard,” and “reshenie2014” as search phrases. That uncovered 18 domains. We restricted the domains to these with the actual phrases however totally different TLD extensions. Of these, one—ancard[.]cn—was malicious.

How to Stay Safe from Rogue GitHub Repositories

While GitHub has been using stricter guidelines to avoid hosting malware since 2021, cyber attackers are at all times on the lookout for tactics to bypass safety measures. As an extra precaution, builders could wish to topic their GitHub downloads to malware checks earlier than utilizing them on network-connected programs. Avoiding entry to the internet properties recognized as malicious on this put up might also be a worthy endeavor.

If you want to carry out an identical investigation or get entry to the full information behind this analysis, please don’t hesitate to contact us.


Related Posts