Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

At the time of writing, all reported fake repositories have been taken down and the malicious PoC has been removed from GitHub.
Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

The backdoor dropped in the scam had the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents.

Cybersecurity researchers have uncovered a deceptive trend within the security community—a proof of concept (PoC) repository on GitHub that appears to address vulnerabilities but actually contains a hidden backdoor. The discovery by the Uptycs threat research team has raised concerns among the security research community.

PoCs are typically used by researchers to identify potential vulnerabilities through harmless testing. However, this malicious PoC operates as a downloader, disguising its activities as a kernel-level process while silently executing a Linux bash script. 

The backdoor has the ability to exfiltrate a wide range of data, including the hostname, username, and a comprehensive list of home directory contents. Moreover, by adding their SSH key to the authorized_keys file, an attacker can achieve full control over a targeted system.

Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
One of the fake profiles on GitHub that was used in spreading malicious PoCs (Image credit: Uptycs)

Here, Hackread.com can exclusively confirm that the image used in the above GitHub profile belongs to Shahriyar Hamid oghlu Mammadyarov, known internationally as Shakhriyar Mamedyarov, who is an Azerbaijani chess grandmaster. The profile image was stolen from a blog post and a YouTube video published by the popular Chess-related YouTube channel, ChessBase India.

The backdoor was discovered during the testing of PoCs for various Common Vulnerabilities and Exposures (CVEs) when the Uptycs team encountered a PoC claiming to address the critical vulnerability CVE-2023-35829. However, they detected several unusual activities that raised suspicions about the PoC’s legitimacy.

The suspicious behaviours encompassed unexpected network connections, abnormal data transfers, and unauthorized attempts to access the system. Further investigation revealed the significance of the “aclocal.m4” file, which required additional analysis.

The primary function of the binary file contains an interesting string, “kworker,” which plays a crucial role in the deception. The code checks if the binary is named “kworker” and performs specific actions accordingly, establishing backdoor persistence through file manipulation.

In their report, Nischay Hegde and Siddartha Malladi of the Uptycs Threat Research team wrote that the PoC used forking to create a new process, obscuring the original command line parameters. The parent process then executes the “curl_func()” function, which downloads a URL containing a bash script. The script is executed if the curl request succeeds.

The fake PoC is a copy of a legitimate exploit for another Linux kernel vulnerability, CVE-2022-34918. It creates the illusion of being a root shell, exploiting differences in user namespaces to deceive users. However, the granted privileges are limited to the “/bin/bash” shell within a specific namespace.

Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
Fake PocC (left) – Original PoC (right) – (Image credit: Uptycs)

Using Uptycs Extended Detection and Response (XDR), the binary’s behaviour was identified primarily as a downloader. It retrieves a script from a remote source and executes it on the compromised system. The downloaded script accesses the “/etc/passwd” file and modifies the “~/.ssh/authorized_keys” file to grant unauthorized access and exfiltrates data using a specific URL.

This incident is not isolated; just last month, it was reported that several fake accounts on GitHub and Twitter were spreading malware in malicious PoC that infected both Windows- and Linux-based systems.

At the time of writing, ChriSander22’s repositories were taken down. Although the malicious PoC has also been removed from GitHub, it was widely shared, resulting in significant engagement before its true nature was exposed. Those who executed the PoC are at high risk of data compromise.

Therefore, it is crucial to take immediate action, including removing unauthorized SSH keys, deleting the “kworker” file, removing the kworker path from the “bashrc” file, and checking for potential threats in “/tmp/.iCE-unix.pid.”

Malicious Repositories

  • https://github.com/apkc/CVE-2023-35829-poc
  • https://github.com/ChriSanders22/CVE-2023-20871-poc/
  • https://github.com/ChriSanders22/CVE-2023-35829-poc/ (archive link)

Differentiating between legitimate and malicious PoCs can be challenging and security researchers are encouraged to adopt safe practices, such as conducting testing in isolated environments like virtual machines, to enhance protection against these evolving cybersecurity risks.

  1. Crooks Targeting LinkedIn Users with Fake Profiles
  2. AI-Generated Images Used to Represent a Fake Law Firm
  3. Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer
  4. Fake LinkedIn Job Offer Scam Hacked Off $625M from Axie Infinity
  5. Hackers Setup Fake Cyber Security Firm to Target InfoSec Experts
Related Posts