GitHub attacked by state-sponsored hackers
Cyber criminals possibly linked with the Democratic People’s Republic of Korea (DPRK) have been found using GitHub as a C2 infrastructure in multi-stage campaigns attacking organizations in South Korea.
The operation chain involves hidden Windows shortcut (LNK) files that work as a beginning point to deploy a fake PDF document and a PowerShell script that triggers another attack. Experts believe that these LNK files are circulated through phishing emails.
Payload execution
Once the payloads are downloaded, the victim is shown as the PDF document, while the harmful PowerShell script operates covertly in the background.
The PowerShell script does checks to avoid analysis by looking for running processes associated with machines, forensic tools, and debuggers.
Successful exploit scenario
If successful, it retrieves a Visual Basic Script (VBScript) and builds persistence through a scheduled task that activates the PowerShell payload every 30 minutes in a covert window to escape security.
This allows the PowerShell script to deploy automatically after every system reboot. “Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” S2W reported.
The PowerShell script then classifies the attacked host, saves the response to a log file, and extracts it to a GitHub repository made under the account “motoralis” via a hard-coded access token. Few of the GitHub accounts made as part of the campaign consist of “Pigresy80,” “pandora0009”, “brandonleeodd93-blip” and “God0808RAMA.”
After this, the script parses a particular file in the same GitHub repository to get more instructions or modules, therefore letting the threat actor to exploit the trust built with a platform such as GitHub to gain trust and build persistence over the compromised host.
Campaign history
According to Fortnet, LNK files were used in previous campaign iterations to propagate malware families such as Xeno RAT. Notably, last year, ENKI and Trellix demonstrated the usage of GitHub C2 to distribute Xeno RAT and its version MoonPeak.
Kimsuky, a North Korean state-sponsored organization, was blamed for these assaults. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate,” said researcher Cara Lin.
Read the original article: