|

GitGot: GitHub leveraged to store stolen data

ReversingLabs researchers found two suspicious npm packages that demonstrate how GitHub is increasingly being used by cybercriminals to easily deploy malware in novel ways.

Lucija Valentić
Blog Author

Lucija Valentić, Software Threat Researcher, ReversingLabs. Read More...

GitGot

ReversingLabs researchers have discovered two malicious packages on the npm open source package manager that leverages GitHub to store stolen Base64-encrypted SSH keys lifted from developer systems that installed the malicious npm packages. 

Multiple versions of the malicious npm packages, warbeast2000 and kodiak2k were identified in January, and have since been removed from npm. However, the campaign is just the latest example of cybercriminals and malicious actors using open source package managers and related infrastructure to support malicious software supply chain campaigns that target development organizations and end-user organizations. 

Discussion: Malicious packages target developer SSH keys

In recent years, open source package managers and code repositories became ground zero for malicious campaigns. As noted in ReversingLabs' new report, The State of Software Supply Chain Security 2024, the number of malicious packages found on open source package managers jumped 1,300% between 2020 and the end of 2023. That includes everything from low-threat protestware and automated phishing campaigns to more subtle malicious campaigns delivering malware, like the r77 rootkit, directly from open source packages.

Packages on npm grab private keys

In recent weeks, ReversingLabs researchers discovered two suspicious npm packages named warbeast2000 and kodiak2k. Here’s what the research team knows about each.

warbeast2000

On January 3, ReversingLabs researchers using the company's Software Supply Chain Security platform identified a package, warbeast2000, which was suspicious and appeared to be malicious. The package, in itself, was not very complicated. It contained just a few components. The corresponding npm page for warbeast2000 was basic and not obviously mimicking another package.

Furthermore, at the time it was discovered, warbeast2000 was in the process of being developed. There were eight versions (1.0.0 - 1.0.8), with new elements being added to the package with each new version. Malicious functionality was only observed in the last, posted version of the package. 

It appears that the package author was in the process of building out the malware and adding layers of deception. Fortunately, the package was detected and removed from npm before that could happen.

Postinstall script


Figure 1: Postinstall script

What did warbeast2000 do? Based on our analysis of the final version of the package, once it was installed on a victim's computer, it would launch a postinstall script that fetched and executed a javascript file. This second stage malicious script read the private ssh key stored in the  id_rsa file located in the <homedir>/.ssh directory. It then uploaded the Base64 encoded key to an attacker-controlled GitHub repository. And that was it. Besides grabbing and copying the id_rsa SSH key, the package displayed no other behaviors.

The choice of the id_rsa key was a natural one, as id_rsa is the default file name given to ssh keys when running the ssh-keygen program, a standard component of the SSH package on Linux and macOS systems as well as with Git for Windows.

Malicious second stage from warbeast2000


Figure 2: Malicious second stage from warbeast2000

As noted, the warbeast2000 package was probably still under development when it was detected, meaning that what was observed may not be the fully conceived package. It is possible, for example, that the entire contents of the .ssh folder would be sent to a GitHub repository owned by a malicious actor. 

The warbeast2000 package was reported to npm administrators and removed on or around January 3. 

Kodiak2k

Shortly after discovering the warbeast2000 package, on January 5, the ReversingLabs Software Supply Chain Security platform identified another npm package with very similar behavior: kodiak2k. Unlike warbeast2000, kodiak2k had more than 30 different versions and, apart from the first few, all of them were malicious. 

Similar to warbeast2000, kodiak2k runs a postinstall script after the package is installed. That script downloads another javascript file and executes it. As with warbeast2000, that script reads the contents of <homedir>/.ssh directory, though the script is looking for a key named meow. It is not clear whether the developer had a specific key in mind or (more likely) used meow as a place holder name while the package was under development.

Whatever the case, when and if the meow file was located, the key contained in it would be encoded in Base64 and uploaded to a GitHub repository, as with the warbeast2000 package.

Later versions of the kodiak2k package also executed a script found in an archived GitHub project containing the Empire post-exploitation framework. The script also invokes the Mimikatz hacking tool, which is commonly used to dump credentials from process memory. There was more activity, as well, across different versions with additional functions that weren’t necessarily malicious. For example, the team observed functions for running notepad.exe, shutdown.exe and an executable that was deployed locally named cryptor.exe. The purpose of these functions wasn’t clear, though it is possible that the malicious actor responsible for creating the kodiak2k package was in the process of testing different malicious functions for future integration into kodiak2k

The kodiak2k package was reported to npm administrators and removed on or around January 5.

Malicious second stage from kodiak2k


Figure 3: Malicious second stage from kodiak2k

Keys to the kingdom

Malicious actors looking to obtain SSH keys from developers is an alarming development. SSH keys provide those who hold them the ability to access and contribute to GitHub repositories, including those containing proprietary (non-public) code. As attacks like those on SolarWinds and 3CX show, that level of access can have a serious and negative impact on the security of the software producer, as well as the end user organizations that deploy and use the affected software: fueling devastating software supply chain attacks.

Limited scope

Fortunately, the reach of this campaign was limited. ReversingLabs observed different accounts publishing warbeast2000 and kodiak2k on npm. The warbeast2000 package was downloaded a little less than 400 times, whereas the kodiak2k was downloaded around 950 times.

Abusing GitHub is going viral

One of the recent trends ReversingLabs and other security firms have noted is how attackers are expanding their reliance on open source software and open source development infrastructure to further malicious campaigns. That trend includes the growing use of the GitHub version control platform to host elements of malicious command and control infrastructure. 

For example, two years ago, we wrote about the discovery of a malicious npm package masquerading as the Material Tailwind CSS tool that used GitHub to fetch the address of a malicious command and control (C2) server. Then, in a blog post published in August 2023, the research team at ReversingLabs wrote about LunaGraber, an open source information-stealing malware available on GitHub. There was the IAmReboot campaign that the ReversingLabs research team wrote about in October, which described the distribution of malicious NuGet downloaders as well as an obfuscated version of the SeroXen RAT hosted on a GitHub repository. Finally, in December, Karlo Zanki wrote about the discovery of PyPI packages that were using GitHub Gists for hosting two-stage malicious payloads.

These findings align with those of other security organizations. The threat intelligence firm Recorded Future, for example, recently published a report (PDF) that found GitHub was the online service that was the most abused by malicious actors. That abuse includes a range of malicious activity, from payload delivery to command-and-control (C2) and data exfiltration (as ReversingLabs has also observed). Recorded Future termed this behavior "living-off-trusted-sites" (LOTS), and said it is "expected to grow with [advanced persistent threats (APT)s'] increasing usage and less-sophisticated groups swiftly following suit."

Apart from abusing features of platforms like GitHub, there are also concerns that malicious actors might leverage flaws and vulnerabilities in those platforms to further attacks. For example, GitHub recently disclosed a serious vulnerability in the GitHub Enterprise Server (GHES) that potentially exposed sensitive credentials. The vulnerability, CVE-2024-0200, was reported to the company as part of its bug bounty program. It does not appear to have been found or exploited previously. However, SC Magazine reported that the company said it rotates credentials any time they are exposed to a third party.

Conclusion

Fortunately, these malicious packages were detected and reported to npm administrators before they could be widely distributed. That being said, the warbeast2000 and kodiak2k packages are more evidence that legitimate platforms such as GitHub are being used to support supply chain attacks. 

That is a concern. With more and more open source malware available, GitHub is increasingly being used by malicious actors to support their campaigns. Often, these open source malware packages are feature rich and come with very detailed documentation allowing even low-skilled hackers (“script kiddies”) to deploy them.

These latest npm campaigns show how malicious actors are starting to use the GitHub platform in novel ways. In addition to GitHub Gists and commit messages being used as C2 infrastructure, we now see GitHub used as a place to store stolen information.

As malicious actors continue to develop new techniques for writing malware, developers as well as security researchers need to be on guard for new threats lurking in public repositories. Before including software or a library found on package managers like npm or PyPI, developers and development organizations should conduct a security assessment of those packages to determine if they are safe to use. 

Indicators of Compromise (IOCs)

Indicators of Compromise (IoCs) refer to forensic artifacts or evidence related to a security breach or unauthorized activity on a computer network or system. IOCs play a crucial role in cybersecurity investigations and cyber incident response efforts, helping analysts and cybersecurity professionals identify and detect potential security incidents.

The following IOCs were collected as part of ReversingLabs investigation of this software supply chain campaign.

package_name version SHA1
warbeast2000 1.0.8 2da32a4c9e2c3f345f46c6e06d6eb41e13da13d9
warbeast2000 1.0.7 ad888d4e2b05bee35acf61c3cc053ecdc5e6ffaf
warbeast2000 1.0.6 31abb6e4399138b33545ab5dfa3e12fe1ad4d16e
warbeast2000 1.0.5 d4a94f63a25891377334909cd544656b16c2b198
warbeast2000 1.0.3 ba5c8b0b76b798dea60110a296ba842702aacfa5
warbeast2000 1.0.2 d94e7e9f1965c248e17a6629c68f55ffa810e5d5
warbeast2000 1.0.1 f1317027456e02fa5c6cadaf897244fc28c24e31
warbeast2000 1.0.0 663d74c7b76e5aae72ed45b3680fa3efbd17586d
kodiak2k 1.0.42 909927bd61f3466d777bbbff38fd844ed8f5c134
kodiak2k 1.0.40 c6693fa7d0272562dd56ce8b44c0e99dd1210e43
kodiak2k 1.0.39 e762e1456a89218661f97e3ae356c07d35c298e8
kodiak2k 1.0.37 24e376fbbb4c76b6b3c2572efeaa68053fa35202
kodiak2k 1.0.35 7333b0ec183d34a104fd7b9a5f5b93541d39fed3
kodiak2k 1.0.34 8f1311588eae8e2fb4eff6dad523198d49d4a766
kodiak2k 1.0.31 5500ca40b5537f5b6782a143e8e2e9028b92de2d
kodiak2k 1.0.30 c6c77b4385978ab9cc1cab0826e75227d612b62a
kodiak2k 1.0.29 9ccc6f5756bb99c5a4eea9e6abc84b79cb3ae6bd
kodiak2k 1.0.28 8f1d36b074f2f6b7bc28718f88849a6aeb9dbbc6
kodiak2k 1.0.25 717fa522c6ee505002bf17d3e79385544834461e
kodiak2k 1.0.24 245f07892c85807e99a3d9da49677bbd6013ff4f
kodiak2k 1.0.22 5117a318483b62cd40298358618e57350cc4158a
kodiak2k 1.0.21 7165b6329ae524392812c534f9bb7e225e305ffe
kodiak2k 1.0.20 f6fda33768f859bc0b42bae40ac0c7dafa0f8d93
kodiak2k 1.0.19 e70476edc973548abba035993638c1bf3b829d54
kodiak2k 1.0.18 c1be7a6bd11236d1302fc6c0b206ec70b3b66d25
kodiak2k 1.0.16 55f6b8f098ce173f4bfba374fc6da3cd8e0ff435
kodiak2k 1.0.15 d80e1abd7efcd1304a3b5ce1f6302d3a7edaaad9
kodiak2k 1.0.14 13c0ff1347fe631974797aba94d17180ccc8eded
kodiak2k 1.0.13 6f819af455a3b25edc1f27c938cbaaffdbf3d910
kodiak2k 1.0.12 401b2fcd9359215f2f70f39d7d0aa1d50ab09b43
kodiak2k 1.0.11 d0c75071fc20f03d1b6d35ce7240b03c2a79f5c7
kodiak2k 1.0.10 ed6e04e810ff085a1a208788e47cce9352ab58bf
kodiak2k 1.0.9 1d5da7f3fbea3d3915bddeb4c223ba147667a6ba
kodiak2k 1.0.8 fa562e9f3374055812c463b8e36c113a2aafa61c
kodiak2k 1.0.7 3198a29d70628d1b9feaf8f7215c667383007f48
kodiak2k 1.0.6 94836b8471a22563c91d35df6f3a1f5b8e028aa7
kodiak2k 1.0.5 79c4359c0c21c4a6c43062a6e9e894ca0bd5617a
kodiak2k 1.0.4 562238aff7746bdc60f891670c0c8bff46cebe02
kodiak2k 1.0.3 96b336c4fddbd1d91a9d1eacb4c36441880ac5bf
kodiak2k 1.0.2 445922433303e38e227121046d38dd3f31a1d6e0
kodiak2k 1.0.1 30fb4cb07089d4e5773e1f20f0a0b25c34aa20ea
kodiak2k 1.0.0 9300a1ff6bc49aa3f0bfe46245a470f14fc7fac3

Second stage payloads:

SHA1
dba623bdad6bdb37359e047efcda34de4af5f518
9526b820a21fa70641361e061b0f99517ab1b184