Full Report
SUMMARY Datadog Security Labs’ cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified…
Analysis Summary
# Tool/Technique: Trojanized GitHub PoCs and Fake Kernel Upgrade
## Overview
A campaign conducted by the threat actor MUT-1244 focused on compromising security researchers, penetration testers, and other malicious actors by distributing malicious code disguised as legitimate Proof-of-Concept (PoC) exploits on GitHub or via phishing emails disguised as kernel upgrade installers. The ultimate goal was widespread credential and sensitive data theft, exploiting the software supply chain trust placed in public repositories and official-looking communications.
## Technical Details
- Type: Campaign utilizing various malware delivery tools and supply chain compromise techniques
- Platform: Primarily targets systems running environments likely associated with development/security work (implied Windows/Linux based on file types like Python scripts, npm packages, and SSH keys)
- Capabilities: Credential harvesting, file exfiltration, supply chain contamination, initial access via trojanized files.
- First Seen: Campaign identified as a year-long effort, observed specifically through related activity spiking in mid-2023.
## MITRE ATT&CK Mapping
*Note: Since this is a composite campaign description, mappings cover the general delivery and impact.*
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Relevant to visiting malicious repos/links)
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Relevant to the fake kernel upgrade email)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Implied execution paths)
- T1059.006 - Python
- T1204 - User Execution
- T1204.002 - Malicious File
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied by accessing hardcoded Dropbox/file.io credentials)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Implied by stealing SSH keys and AWS keys)
## Functionality
### Core Capabilities
- **Supply Chain Poisoning:** Hosting fake PoC repositories on GitHub containing embedded malicious code alongside legitimate-looking exploit proofs.
- **Phishing Lure:** Targeting academics with emails prompting installation of malware disguised as a "fake kernel upgrade."
- **Credential Theft:** Stealing highly sensitive information, including WordPress credentials (over 390,000), AWS access keys, and SSH private keys.
- **Data Exfiltration:** Utilizing hardcoded credentials for Dropbox and file.io endpoints to retrieve stolen data from compromised hosts.
### Advanced Features
- **Layered Payload Delivery:** Employing multiple obfuscation or delivery mechanisms within repositories:
1. Backdoored configuration files containing hidden malicious logic.
2. Malicious code embedded within PDF files that execute upon opening the fake exploit.
3. Python dropper scripts decoding Base64 payloads, writing them to disk, and executing them.
4. Inclusion of malicious npm packages that silently call back to download and execute the final payload.
- **Trojanized Utility Use:** Exploiting a legitimate-looking utility, "yawpp" (advertised as a WordPress credentials checker), to validate and likely steal credentials obtained illicitly elsewhere.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Implied PoC scripts, Python droppers, malicious PDFs, and the 'yawpp' utility]
- Registry Keys: [Not provided in the text]
- Network Indicators: Hardcoded credentials pointed to **dropbox.com** and **file[.]io** services for exfiltration. URL/domains involved in phishing or npm package delivery were not explicitly listed but would be present in payload configuration.
- Behavioral Indicators: Execution of Python scripts that decode Base64 strings; file extraction from PDFs upon opening; suspicious outbound connections to data storage/transfer services.
## Associated Threat Actors
- MUT-1244
## Detection Methods
- **Signature-based detection:** Signatures could target known file hashes associated with the Python droppers or unique strings found in the backdoored configuration files.
- **Behavioral detection:** Monitoring for unusual execution chains originating from script interpreters (Python) executing obfuscated or Base64-encoded shells, especially after interaction with downloaded files (PDFs, scripts) from third-party sources like GitHub. Monitoring outgoing traffic to known file-sharing services from unusual processes.
- **YARA rules if available:** Likely rules targeting unique strings or code segments found within the various payload stages (e.g., the specific logic inside the yawpp tool).
## Mitigation Strategies
- **Prevention measures:** Enforcing strict parsing and execution policies on downloaded source code, especially PoCs originating from unverified sources, even if they appear to be from security research communities. Implementing application whitelisting.
- **Hardening recommendations:** Educating security professionals and researchers (the primary target group) on the inherent supply chain risks associated with executing code from public repositories without thorough review. Using multi-factor authentication across all sensitive cloud assets (like AWS, which were targeted).
## Related Tools/Techniques
- **Yawpp:** A trojanized WordPress credentials checker used for credential harvesting/validation.
- VenomRAT: Mentioned as a payload deployed in a similar, predecessor campaign targeting researchers via a fake PoC exploiting CVE-2023-40477 (WinRAR vulnerability).
- Past campaigns involving fake PoCs on GitHub (June 2023, July 2023).