使用GitHub进行黑客行为的新趋势

Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages.

威胁行为者越来越多地利用GitHub进行恶意活动，采用新颖的方法，包括滥用秘密Gists和通过git提交消息发出恶意命令。

"Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News.

“恶意软件作者偶尔会将他们的样本放在像Dropbox、Google Drive、OneDrive和Discord这样的服务中，用于托管第二阶段恶意软件，并规避检测工具，” ReversingLabs研究员Karlo Zanki在与The Hacker News分享的一份报告中说。

"But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware."

“但最近，我们观察到GitHub开源开发平台越来越多地被用于托管恶意软件。”

Legitimate public services are known to be used by threat actors for hosting malware and acting as dead drop resolvers to fetch the actual command-and-control (C2) address.

已知合法的公共服务被用于由威胁行为者托管恶意软件并充当死滑块解析器以获取实际的命令和控制（C2）地址。

While using public sources for C2 does not make them immune to takedowns, they do offer the benefit of allowing threat actors to easily create attack infrastructure that's both inexpensive and reliable.

虽然使用公共源作为C2不会使它们免受关停的影响，但它们确实带来了一个好处，即使威胁行为者可以轻松创建既廉价又可靠的攻击基础设施。

This technique is sneaky as it allows threat actors to blend their malicious network traffic with genuine communications within a compromised network, making it challenging to detect and respond to threats in an effective manner. As a result, the chances that an infected endpoint communicating with a GitHub repository will be flagged as suspicious is less likely.

这种技术很狡猾，因为它允许威胁行为者将其恶意网络流量与受损网络内的真实通信混合在一起，从而使检测和有效应对威胁变得更具挑战性。因此，受感染的端点与GitHub存储库通信被标记为可疑的机会较小。

The abuse of GitHub gists points to an evolution of this trend. Gists, which are nothing but repositories themselves, offer an easy way for developers to share code snippets with others.

滥用GitHub Gists表明了这一趋势的演变。Gists本质上只是存储库本身，为开发人员与他人分享代码片段提供了一种简便的方式。

It's worth noting at this stage that public gists show up in GitHub's Discover feed, while secret gists, although not accessible via Discover, can be shared with others by sharing its URL.

值得注意的是，公共Gists会出现在GitHub的发现Feed中，而秘密Gists虽然无法通过发现访问，但可以通过共享其URL与他人分享。

"However, if someone you don't know discovers the URL, they'll also be able to see your gist," GitHub notes in its documentation. "If you need to keep your code away from prying eyes, you may want to create a private repository instead."

“但是，如果你不认识的人发现了URL，他们也能够看到你的Gist，” GitHub在其文档中指出。“如果你需要让你的代码远离窥探的眼睛，最好创建一个私有存储库。”

Another interesting aspect of secret gists is that they are not displayed in the GitHub profile page of the author, enabling threat actors to leverage them as some sort of a pastebin service.

秘密Gists的另一个有趣之处在于它们不会显示在作者的GitHub个人资料页中，使威胁行为者能够将它们用作某种类似粘贴板的服务。

ReversingLabs said it identified several PyPI packages – namely, httprequesthub, pyhttpproxifier, libsock, libproxy, and libsocks5 – that masqueraded as libraries for handling network proxying, but contained a Base64-encoded URL pointing to a secret gist hosted in a throwaway GitHub account without any public-facing projects.

ReversingLabs表示，它发现了几个PyPI软件包，即httprequesthub、pyhttpproxifier、libsock、libproxy和libsocks5，它们伪装成处理网络代理的库，但包含了指向扔掉的GitHub帐户中的秘密Gist的Base64编码URL，而且没有任何面向公众的项目。

The gist, for its part, features Base64-encoded commands that are parsed and executed in a new process through malicious code present in the setup.py file of the counterfeit packages.

至于Gist本身，它包含了Base64编码的命令，这些命令在伪造软件包的setup.py文件中存在的恶意代码中被解析并执行。

The use of secret gists to deliver malicious commands to compromised hosts was previously highlighted by Trend Micro in 2019 as part of a campaign distributing a backdoor called SLUB (short for SLack and githUB).

这种利用秘密Gists向受感染主机传递恶意命令的技术在2019年被趋势微观公司突出，作为传播名为SLUB（缩写为SLack和githUB）的后门的活动的一部分。

A second technique observed by the software supply chain security firm entails the exploitation of version control system features, relying on git commit messages to extract commands for execution on the system.

软件供应链安全公司观察到的第二种技术涉及利用版本控制系统功能，依赖git提交消息来提取在系统上执行的命令。

The PyPI package, named easyhttprequest, incorporates malicious code that "clones a specific git repository from GitHub and checks if the 'head' commit of this repository contains a commit message that starts with a specific string," Zanki said.

PyPI软件包，名为easyhttprequest，包含恶意代码，“克隆来自GitHub的特定git存储库，并检查该存储库的'head'提交是否包含以特定字符串开头的提交消息，” Zanki说。

"If it does, it strips that magic string and decodes the rest of the Base64-encoded commit message, executing it as a Python command in a new process." The GitHub repository that gets cloned is a fork of a seemingly legitimate PySocks project, and it does not have any malicious git commit messages.

“如果是这样，它会剥离该魔术字符串并解码Base64编码的提交消息的其余部分，在新进程中将其作为Python命令执行。”被克隆的GitHub存储库是一个看似合法的PySocks项目的分支，没有任何恶意的git提交消息。

All the fraudulent packages have now been taken down from the Python Package Index (PyPI) repository.

所有欺诈软件包现已从Python Package Index（PyPI）存储库中下架。

"Using GitHub as C2 infrastructure isn't new on its own, but abuse of features like Git Gists and commit messages for command delivery are novel approaches used by malicious actors," Zanki said.

“单独使用GitHub作为C2基础设施并不新鲜，但滥用Git Gists和提交消息等功能进行命令传递是恶意行为者使用的新颖方法，” Zanki说。

原文始发于微信公众号（知机安全）：使用GitHub进行黑客行为的新趋势