Threat actors are increasingly abusing GitHub for malicious purposes

GitHub for Malicious Purposes

GitHub’s ubiquity in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as dead drop resolverscommand-and-control and data exfiltration points.

“Using GitHub services for malicious infrastructure allows adversaries to interfere with legitimate network traffic, often bypassing traditional security measures and making tracking upstream infrastructure and actor attribution more difficult,” Recorded Future said. said in a report shared with The Hacker News.

The cybersecurity firm described the approach as ‘living-off-trusted-sites’ (LOTS), a variation on the living-off-the-land (LotL) techniques often employed by threat actors to hide and fly under the radar of malicious activity to stay.

Prominent among the methods used to abuse GitHub relates to load delivery, with some actors using its features for command-and-control (C2) obfuscation. Last month, ReversingLabs detailed a number of rogue Python packages that relied on a secret core hosted on GitHub to receive malicious commands on the affected hosts.

While full-fledged C2 deployments in GitHub are uncommon compared to other infrastructure programs; its use by threat actors as a dead drop resolver (using the information from an actor-controlled GitHub repository to obtain the actual C2 URL) is much more common, because as shown in the case of malware such as Drokbk and ShellBox.

Also rarely observed is the misuse of GitHub for data exfiltration, which Recorded Future says is likely due to file size and storage limitations and discoverability concerns.

Beyond these four main programs, the platform’s offerings are used in several other ways to fulfill infrastructure-related purposes. For example, GitHub pages have been used as phishing hosts or traffic diverterswith some campaigns using a GitHub repository as backup C2 channel.

The development is in line with the broader trend of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello and Discord being exploited by threat actors. This also includes other source code and version control platforms such as GitLab, BitBucket and Codeberg.

“There is no one-size-fits-all solution for detecting GitHub abuse,” the company said. “A mix of detection strategies is needed, influenced by specific environments and factors such as log availability, organizational structure, service usage patterns and risk tolerance, among others.”


#Threat #actors #increasingly #abusing #GitHub #malicious #purposes

Notify of
Inline Feedbacks
View all comments
Previous Post
Bandook RAT

New Bandook RAT variant surfaces again, targeting Windows machines

Next Post
FBot Hacking Toolkit

New Python-based FBot Hacking Toolkit targeting cloud and SaaS platforms

Related Posts