Threat campaign fooling developers in GitHub repos

A threat campaign has been targeting software developers through GitHub repos that, at first glance, look completely legitimate.

Security researchers from ReversingLabs found over 60 GitHub repos containing what appeared to be ordinary hacking tools written in Python. But, look a bit closer – or rather, scroll a bit further right – and you’d find these repos were actually hiding hundreds of malicious files designed to pilfer sensitive data from developers who were none the wiser.

What makes this discovery worrying is how it represents a shift in tactics. While cybercriminals have flooded open-source repos like npm and PyPI with dodgy packages, they’re now crafting far more subtle attacks that leverage platforms developers often inherently trust.

The return of Banana Squad

If you’ve been following cybersecurity news, you might remember a group called ‘Banana Squad’ that Checkmarx researchers spotted back in October 2023. They got their rather quirky name from one of their earliest malicious domains: bananasquad[.]ru.

These chaps have been busy. Their initial campaign kicked off in April 2023, when they deployed hundreds of malicious packages using various usernames. Those packages racked up nearly 75,000 downloads before security teams cottoned on and removed them.

Now they’re back with a more sophisticated approach. Rather than dumping obviously malicious packages into repos, they’re creating GitHub repos that perfectly mimic legitimate tools – same name, similar descriptions – but with a nasty surprise buried in the code.

Hiding in plain sight (just far to the right)

The technique they’ve employed is simple yet effective. Ever notice how GitHub’s interface doesn’t wrap long lines of code? Banana Squad did.

The attackers inserted a long string of spaces before their malicious code, pushing it so far to the right that it’s out of view—even if you’re working on a massive monitor. Unless you’re specifically scrolling horizontally through each line of code (and who does that?), you’d never spot it.

This trick was first noticed last November by researchers at SANS’s Internet Storm Center who looked at a single repository connected to dieserbenni[.]ru. ReversingLabs took that thread and pulled, eventually unravelling a much larger operation involving 67 repos all using the same technique.

Clever detective work

The ReversingLabs team employed some proper investigative techniques to uncover the full scope of the campaign. They worked backwards from suspicious URLs found in their threat intelligence data, noting that query strings often contained repository names.

Since a suspicious name alone wasn’t enough to determine which repos were malicious – after all, the whole point was that they shared names with legitimate projects – researchers gathered all repos with matching names and put them under the microscope using their Spectra Intelligence platform.

Most dodgy repos were the only one listed under each GitHub account—a dead giveaway that these accounts were created for hosting malicious code. Each repository was essentially a wolf in sheep’s clothing, using identical names to legitimate projects to appear trustworthy.

The ‘About’ sections were packed with relevant search terms and eye-catching emojis (usually flames or rocket ships), along with a peculiar dynamically-generated string at the end. These same generated strings would appear at the end of README files and within the trojanised Python code files; almost like a signature.

Further layers of trickery

If you thought the horizontal scrolling trick was clever, the encoding techniques used in the malicious Python files take things to another level. The attackers employed multiple layers of obfuscation – Base64, Hex text, and Fernet encryption – making it difficult for casual observers to understand what the code does.

When executed, the malware would call home to command and control servers primarily hosted at dieserbenni[.]ru. In June, ReversingLabs spotted a new campaign emerging that uses 1312services[.]ru – similar to another previously identified domain, 1312stealer[.]ru.

After ReversingLabs reported their findings, GitHub acted swiftly, removing all 67 identified repos over a weekend. That’s the good news.

The bad news? No-one quite knows how many times these repos might have been cloned or used by unwitting developers before they were taken down. Given the scale, 67 repos containing hundreds of malicious files, it’s almost certain there are victims out there who haven’t yet realised they’ve been compromised.

For the average developer who relies on GitHub and other open-source platforms, this attack represents a particularly nasty threat. After all, checking and using code from public repos is standard practice in modern development.

The best advice? Always check that the repository you’re using contains what you expect, and whenever possible, compare it to a known good version.

With GitHub serving as the go-to resource for millions of developers worldwide, the potential impact of such crafted attacks could be enormous if malicious code finds its way into mainstream development pipelines.

See also: JavaScript packages hide ‘protestware’ against Russian users

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: coding, cybersecurity, development, git, github, hacking, infosec, programming, security, threats