According to GitHub’s security team, they received a message on March 9 from a security researcher about a set of GitHub-hosted repositories that were actively serving malware. And after a thorough analysis of the malware, they uncovered something that have not been seen before on its platform; a malware designed to enumerate and backdoor NetBeans projects.
The malware dubbed Octopus Scanner uses the build process and its resulting artifacts to spread itself, with about 26 open source projects already backdoored by this malware and were actively serving backdoored code.
Octopus Scanner Malware mode of operation
Octopus Scanner malware disguises itself as an ocs.txt file, but actually, it is a Java Archive (JAR) file. And it is fully capable of identifying NetBeans project files and embedding malicious payload in the project files and build JAR files. The description of the Octopus Scanner operation is as follows:
- Enumeration of Projects in the NetBeans directory
- Identification of GitHub user's NetBeans directory
- Modification of the nbproject/build-impl.xml file to make the malicious payload executable every time NetBeans project is build
- Affects the newly built JAR file, once the malicious payload is an instance of the Octopus Scanner itself
- Copy the malicious payload cache.dat to nbproject/cache.dat
Albeit, the malware C2 servers don't seem to be active at the time of the analysis, but the affected repositories still posed a risk to GitHub users which could potentially clone and build the projects. The diagram below shows the different parts of the malware:
Though the researchers could only access just a sample of Octopus Scanner malware (the build infecter), on reviewing the infected repositories, they discovered four different versions of the infected NetBeans projects and all but one, a downstream system, would be infected by either building from an already infected repository or using any of the artifacts that resulted from an infected build.
What's GitHub’s Security Incident Response Team (SIRT) Response?
Octopus Scanner is a multi-platform malware, meaning that it can run on Windows, macOS, and Linux and effectively able to download a remote access trojan (RAT). While the goal of the attack is to deliver the RAT on the machine of the developers working on projects to steal their personal and sensitive information.
But unlike other abuse cases on the GitHub platform, the owners of repository were most likely unaware of the malicious activity.
Therefore, blocking or banning the repository owners was not an option for the GitHub’s Security Incident Response Team (SIRT). GitHub Security Lab is conducting further investigation into the malware to figure out how to properly remove it from the infected repositories, without shutting down the accounts.
No comments