Github Malware Spreads Cybersecurity Experts Sound Alarm Over New Maas Threat

A Growing Concern: GitHub Malware Distribution Raises Alarms in Cybersecurity Community

The use of public code repositories like GitHub to distribute malicious software has become a growing concern for cybersecurity experts. Researchers at Cisco’s Talos security team have discovered a malware-as-a-service (MaaS) operator that leveraged GitHub accounts as a channel for spreading an assortment of malicious payloads to unsuspecting targets.

This vulnerability creates a challenging scenario for organizations with employees who rely on GitHub for their work, as it may be difficult to differentiate between legitimate and malicious downloads without proper filtering mechanisms. According to Talos researchers Chris Neal and Craig Jackson, the MaaS operator used three compromised GitHub accounts to distribute the malicious payloads. These accounts were subsequently removed by GitHub after being notified by Talos.

However, this incident serves as a stark reminder of the potential risks associated with relying on public code repositories for sensitive operations. GitHub’s widespread adoption and ease of use make it an attractive platform for malicious actors to exploit. As an open-source platform, GitHub is already accessible to many users, both within and outside of enterprise environments.

Downloading files from a GitHub repository may bypass web filtering mechanisms that are not configured to block the GitHub domain. While some organizations can take steps to prevent this by blocking GitHub access in their environment, many enterprises with software development teams require access to GitHub for legitimate reasons, such as collaborative project work and open-source development. In these cases, a malicious GitHub download may be difficult to distinguish from regular web traffic.

Talos researchers identified the same malware loader, Emmenhtal, in both the MaaS operation and a separate campaign documented by security firm Palo Alto Networks and Ukraine’s major state cyber agency SSSCIP. The GitHub-based campaign used an alternative loader variant, PeakLight, which is also tracked by Talos researchers. This highlights the adaptability of MaaS operators and their willingness to experiment with different malware loaders in pursuit of maximizing their malware’s reach.

The GitHub-based campaign also introduced a new malware platform, Amadey, which was first seen in 2018. Initially used to assemble botnets, Amadey has evolved into a more sophisticated platform capable of collecting system information from infected devices and downloading customized secondary payloads based on the individual characteristics of each device.

Amadey’s primary function is to gather system information, which can be used to create targeted malware campaigns. This highlights the importance of robust cybersecurity measures in place to detect and respond to emerging threats like Amadey. Organizations with employees who rely on GitHub for their work must prioritize regular software updates, web filtering, and employee education to reduce the risk of falling victim to malicious campaigns that exploit public code repositories like GitHub.

By staying informed about emerging threats like Amadey and leveraging the expertise of cybersecurity professionals, organizations can improve their defenses against malware distribution through public code repositories. The use of GitHub as a means to distribute malware has significant implications for the cybersecurity community, emphasizing the need for vigilance and proactive measures to mitigate these risks.

Relevant Links

• Aerial Photography Showdown: Can Dji Mavic 4 Pro Outfly Hasselblad X2D
• Adobe Unveils Revolutionary Reflection Removal Tool To Take Photography To New Heights
• Aerologix And Soar Unveil Global Aerial Map Project Unlocking Access To High-Resolution Drone Imagery