2 min

Tags in this article

, ,

Cybercriminals are spreading malware-linked URLs of ostensibly Microsoft repositories through the comments of GitHub projects. The method of malware distribution is very dangerous and persistent.

According to research, cybercriminals are actively trying to spread malware through URLs posted in the comment sections of GitHub projects. These URLs give the impression that they are legitimate Microsoft repositories, but nothing could be further from the truth. However, when the URLs are examined closely, no relationship can be found with Microsoft regarding the files in the project’s source code.

McAfee recently warned that a new variant of the LUA malware uploader Redline Stealer trojan is being spread by pretending to be legitimate Microsoft repositories for the “C++ Library Manager for Windows, Linux and MacOS,” also known as “vcpkg” and the STL library.

Distribution via commits

The files turned out not to be part of ‘vcpkg’ but from comments on commits or problems in the project. GitHub users can add files, such as archives or documents, to a project’s comments section, which are then uploaded to GitHub’s CDN. These files are then linked to the respective project with a unique URL.

These specific URLs do not lead to a contribution but to malware. In addition, the URL always remains active, even after deleting the contribution. This makes the presence and ability to spread the malware persistent.

Spreading method very dangerous

Cybercriminals’ method of spreading this malware allows them to create exceptionally crafted and convincing URLs. In addition, this method of malware dissemination can basically be used for any public GitHub posting, making it extremely dangerous.

Further research shows that cybercriminals have abused this malware distribution method via GitHub for some time. The first signs of malware distribution, not only the malicious code now found but also other variants, date back to early March of this year.

Taking comments offline

GitHub users can protect themselves against this form of malware by, for example, turning off the comments under a GitHub project. This can only be done for six months, after which everything must be put offline again. Furthermore, this method is not ideal because it makes it impossible to comment on possible bugs or pass on suggestions.

GitHub has since removed URLs associated with Microsoft repositories from its platform. URLs linking to other malware variants are still available.

Also read: xz-Utils available again on GitHub, creator investigates backdoor