Fake Researcher Profile Spreads Malware via GitHub Repositories as a PoC Exploit
At least half of dozens of GitHub accounts of fake researchers associated with fraudulent cybersecurity firms have been observed pushing malicious repositories on code hosting services.
All seven repositories, which are still available as of this writing, claim to be proof-of-concept (PoC) exploits for acknowledged zero-day flaws in Discord, Google Chrome, and Microsoft Exchange.
VulnCheck, which discovered the activity, said“The people who created this repository have gone to great lengths to make it look legit by creating a network of Twitter accounts and profiles, pretending to be part of a non-existent company called High Sierra CyberSecurity.”
The cybersecurity firm said it first discovered the rogue repository in early May when they were observed pushing out similar PoC exploits for zero-day bugs in Signal and WhatsApp. Both repositories have since been taken down.
As well as sharing some of the purported findings on Twitter in an attempt to establish legitimacy, the network of accounts even used headshots of actual security researchers from companies like Rapid7, indicating that threat actors put significant effort into crafting campaigns.
PoC is a Python script designed to download a malicious binary and run it on a victim’s operating system, be it windows or Linux.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“Attackers have gone to great lengths to create all these fake personas, only to deliver very obvious malware,” said VulnCheck researcher Jacob Baines. “It’s not clear whether they have succeeded, but given that they have continued to pursue this path of attack, it seems they believe they have succeeded. will become a successful person.”
It is currently unknown whether this is the work of an amateur actor or an advanced persistent threat (APT). But security researchers have previously come under the radar of the North Korean nation-state group, as disclosed by Google in January 2021.
If anything, the findings point to the need to be careful when downloading code from open source repositories. It’s also important for users to check code before execution to make sure they don’t pose any security risks.
