Thousands of repositories on GitHub that offer phony proof-of-concept (PoC) exploits for different vulnerabilities, some of which include malware, were discovered by researchers from the Leiden Institute of Advanced Computer Science. Researchers upload proof-of-concept exploits on GitHub, one of the most popular sites for publishing source code, to assist the security community in evaluating solutions for vulnerabilities or determining the significance and breadth of a flaw.
In contrast to acquiring a PoC, the likelihood of malware infection might be as high as 10.3 percent, according to a technical report by researchers at the Leiden Institute of Advanced Computer Science, omitting known fakes and prankware. Using the following three approaches, the researchers examined slightly more than 47,300 repositories promoting an exploit for a vulnerability revealed between 2017 and 2021:
- IP address analysis: comparing the PoC’s publisher IP to public blocklists and VT and AbuseIPDB.
- Hexadecimal and Base64 analysis: decode obfuscated files before doing binary and IP checks.
- Binary analysis: conduct VirusTotal checks on the given executables and their hashes.
1,522 of the 150,734 extracted unique IP addresses were found malicious in antivirus scans on Virus Total, 2,864 matched blocklist entries, and 1,069 of them were found in the AbuseIPDB database. 2,164 malicious samples were found to be present in 1,398 repositories after a collection of 6,160 executables was evaluated using binary analysis. Out of the 47,313 repositories analyzed, 4,893 were found malicious, with the majority containing vulnerabilities from 2020. A limited group of repositories containing bogus Proof-of-Concept (PoC) malware is included in the report.
The researchers dug deeper into some of those cases and discovered various malware and hazardous scripts, from Cobalt Strike to remote access trojans. A PoC for CVE-2019-0708, also known as “BlueKeep,” which includes a base64-obfuscated Python script that downloads a VBScript from Pastebin, is one intriguing example. The program in question is the Houdini RAT, a vintage JavaScript-based trojan that allows for remote command execution using Windows CMD. In a further instance, the researchers found a bogus Proof-of-Concept (PoC) that was an info-stealer, gathering system information, IP address, and user agent.
Another researcher previously built this as a security experiment. Therefore, discovering it using the automated tool provided evidence for the researchers that their technique was successful. El Yadmani Soufian, one of the researchers and a security researcher at Darktrace, was nice enough to offer other samples that weren’t in the technical study, which include:
- A base64-encoded binary was found in PowerShell PoC marked as malicious by Virus Total.
- Python Proof-of-Concept with a single line decodes a payload marked as malicious on Virus Total.
- The false BlueKeep exploit contains an executable labeled as Cobalt Strike by most antiviruses.
- A malicious script concealed inside a phony Proof of Concept and has dormant components that might harm if its author so desires.
It would be a terrible idea to blindly trust a repository on GitHub from an untrusted source because the material is not vetted; instead, it is up to the users to check it out before employing it. The PoCs that software testers download should be thoroughly examined, and before executing them, as many checks should be performed.
According to Soufian, all testers should adhere to these three guidelines:
- Before running any code on your network or a customer’s network, read it thoroughly.
- Sandbox the code in a setting (for example, an isolated Virtual Machine) if it is excessively obfuscated and would take too long to examine manually. Then, scan your network for any strange activity.
- To examine binaries, use open-source intelligence tools like VirusTotal.
The researchers reported all of the malicious repositories that the researchers found to GitHub. However, it will take some time before they are all examined and taken down, so many of them are still accessible to the general public. As Soufian noted, their study seeks to function as a trigger for developing an automated solution that might be utilized to detect harmful instructions in the uploaded code rather than merely acting as a one-time cleaning activity on GitHub. The team aims to improve their detector as this is only the initial iteration of their study. Currently, more robust obfuscated code is missed by the detecting tool.
