Using Legitimate GitHub URLs for Malware

2 weeks ago AndyC

Using Legitimate GitHub URLs for Malware
Interesting social-engineering attack vector:

McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager fo

Using Legitimate GitHub URLs for Malware

Interesting social-engineering attack vector:

McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg.

The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.

What this means is that someone can upload malware and “attach” it to a legitimate and trusted project.

As the file’s URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.

For example, a threat actor could upload a malware executable in NVIDIA’s driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it’s a new test version of the web browser.

These URLs would also appear to belong to the company’s repositories, making them far more trustworthy.

Tags: , ,

Sidebar photo of Bruce Schneier by Joe MacInnis.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , ,

More Stories

Blackbasta gang Synlab Italia attack

Blackbasta gang Synlab Italia attack

1 hour ago AndyC
LockBit published data stolen from Simone Veil hospital in Cannes

LockBit published data stolen from Simone Veil hospital in Cannes

19 hours ago AndyC

Friday Squid Blogging: Squid Purses

19 hours ago AndyC
Russia-linked APT28 and crooks are still using the Moobot botnet

Russia-linked APT28 and crooks are still using the Moobot botnet

1 day ago AndyC

My TED Talks – Schneier on Security

1 day ago AndyC
Dirty stream attack poses billions of Android installs at risk

Dirty stream attack poses billions of Android installs at risk

1 day ago AndyC

You may have missed

Blackbasta gang Synlab Italia attack

Blackbasta gang Synlab Italia attack

1 hour ago AndyC
Microsoft Outlook Flaw Exploited by Russia's APT28 to Hack Czech, German Entities

Microsoft Outlook Flaw Exploited by Russia’s APT28 to Hack Czech, German Entities

7 hours ago AndyC
Your Google Account allows you to create passkeys on your phone, computer and security keys

Your Google Account allows you to create passkeys on your phone, computer and security keys

7 hours ago AndyC
Your Google Account allows you to create passkeys on your phone, computer and security keys

Detecting browser data theft using Windows Event Logs

7 hours ago AndyC
Your Google Account allows you to create passkeys on your phone, computer and security keys

How we fought bad apps and bad actors in 2023

7 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.