Hackers Use Github For Malware
Skills:
AI Security90%Tool Use & Function Calling80%Reading ML Papers70%Research Methods70%AI Pair Programming60%
Key Takeaways
Hackers use GitHub for malware distribution and command and control, leveraging techniques such as living off trusted sites, and utilizing tools like GitHub, Raw GitHub user content.com, and Keeper Security for privileged access management and cybersecurity.
Full Transcript
this website cataloges and archives a list of other websites that could be used and abused by hackers and I mean both kinds of hackers here the good and the bad cyber criminals threat actors and adversaries and security researchers or penetration testers red teamers and ethical hackers this is the living off trusted sites or Lots project put together by Mr docks if you aren't familiar Mr Doc is an incredible individual doing sweet security research and sharing a whole lot of Education just as well and this might be very similar if you're used to other websites like lbass or GTFO bins living off the land techniques or using natural native inherent capabilities that might allow you to break out of an environment or do something with a little bit more tradecraft in this case living off trusted sites is all about using legitimate domains and websites when performing fishing or exfiltration or command and control ultimately and download potential tools to evade detections in most cases a lot of these websites are not going to be on a deny list or filtered by an internet filter so these are options that could be used to hey take advantage of a trusted site and here's an example right let's dig into fil transfer. see that has a couple options for potentially fishing downloading things maybe offering a capability for exfiltration say oh they just upload malicious files and use that as a link well maybe that's a little bit more trusted hey maybe folks might be familiar with that service usually used for genuine good purposes or exfiltration hey just putting data back and forth as needed downloading files or anything now with all that context out of the way I do want to say look yeah we could probably make the claim and you could argue that any sort of website could be used as commanding control you could make anything a C2 server or C2 framework if you really wanted to my good friend made a a commanded control out of the jackbox video game like you play on your phone and it's all websockets back and forth let's turn that into a C2 but I think a common conversation is how can we use like software focused Services things that are related to coding and development and often times security research and Tech how can that be used and abused and we've seen it a little bit kind of in the current days here that GitHub as an option and it's literally like the top listing results here on the living off trusted sites website we've got github.com and raw. GitHub user.com we could take a look at both of these but obviously look you host files or code or anything up on GitHub well maybe that could be used as some potential communication with a Target endpoint or victim in a commanded control sense I think that raw. GitHub user content.com is especially noted for commanding control and noting that look maare has been seen using this and there are a couple other ways that this could be done it might not strictly be just uploading adding or making changes inside of a repository there might be other tricks that are possible with GitHub in this video we're going to chat about it but before we do please let me say look the only way that I can get out free educational videos just like these as frequently as I do is with the help of some sponsorship so please allow me to tell you about the sponsor today's video keeper security I got to be honest I look for the most Secure Solutions on the market every organization even my own needs to secure passwords credentials secrets and connections all to reduce the risk of cyber attacks and keeper Security offers a privileged access management solution to deliver Enterprise grade protection allinone uni platform their Pam solution enables your business to have complete visibility security control and Reporting across every user on every device so even a small it team can manage and protect their environment keeper integrates with infrastructure and identity access management stacks and works out of the box with your other Technologies for password rotation passwordless authentication seam cicd and so much more it fits right into your Oran organization without the hassle of deployment and maintenance keeper Pam is purpose-built to protect perimeter and multi-cloud environments with the features and functionality that your organization needs I've seen keeper personally at tons of different cyber security events and I've gotten a chance to chat with their Partners seriously it is always High Praise And proven success with their platform with over 275,000 five-star ratings in app stores users Rave about keeper with keeper you can keep your users your data and your environment secure learn more today and sign up for a demo with my link below in the video description jh. life/ keeper huge thanks to keeper for sponsoring this video okay getting back to it I'm over here on github.com I could log in hey sign into my account and then navigate around to look at other repositories let's say just for the sake of example let's dig into one user in their Repository this is Gus Roger he is a fictitional uh fake character that I created for one of the ENT challenges or open source intelligence tasks from ncon CTF in a previous year event hey and by the way ncon 2024 is coming up coming up this may if you'd like to play the capture of the flag challenge that I'm hosting that is May 23rd to the 25th hope to see you there sign up on the Schoolboard I'll give you more details as we're getting closer to the date anyway say that I were to go visit one of these public repositories let's go to Gus and his development project whatever I don't know some random stuff here but if I were to go create an issue I could potentially just start a new issue right hey have a input box have some text have something where I I don't know could just put in anything here because the gimmick is that this is all temporary in ephemeral we're not actually going to create an image but we're going to use some of the features and functionality that's presented here because I'm not sure if you're familiar but say you're creating like a readme.md file for the front-facing documentation of your new repository or project if you wanted to add images there you could try to upload it host it have it available on the internet so that it could be included inside of the readme now there's a little trick with GitHub where if you were to actually try to upload a file or drag and drop something into an issue box or the kind of comment that you might create or anything that you'll Supply to type that in it will automatically upload it to GitHub and give you a publicly browsable URL based out of that repository now here here's the thing what's to stop me from trying to drag and drop or upload a file into someone else's repository is that totally possible well let's try it I'll go ahead and over to my desktop just create a new I don't know text document that's fine we'll call this hello world. text find by me let me open that up real quick let's say haaha hacked from John LOL Please Subscribe ha cutesy Dumbo fun now here's the kicker I don't need to enter anything in for this issue I just simply need to drag this into the GitHub issue and it will upload it and then grant me with a new URL and that is just the file that I could then access let me see if I can go open it in a new tab open up a new tab paste that in and okay now it starts to download look even if I were to open up an like new incognito tab or a private window obviously that's totally public it's not related or tied to my account and that will just be publicly accessible but the kicker is in that URL I don't know if you caught it but that URL that's provided for this new publicly accessible document that we've just spat out across the internet is presumably going through github.com Gus rodery that individual that company that business whatever it might be and then hey just something base out of their specific files and accessing whatever I wanted it to look like now let's think this through here because you could upload whatever you wanted to hey malware if that's the case I don't know maybe command and control communication right oh tasking a beacon or an agent back and forth is like an implant and at least from the artifact or quote unquote the indicator the URL that's there it looks like someone else's the blame is then on oh I don't know maybe that individual and their GitHub username whether it happens to be Gus rodry or John Hammond or Microsoft or government agency XYZ right now if you happen to be saying hey that looks familiar I feel like I've seen that before you could be totally right because it was in the news hey this over on bleed ping computer looking at this article GitHub comments abused to push malware via Microsoft repository URLs and this is exactly what we've been just chatting about a GitHub flaw or possibly a design decision this has been around for like forever I'm pretty sure this is just the natural inherent functionality of GitHub issues and being able to upload and store a temporary file there whatever it happens to be like an image for a readme documentation just as we saw but it could be abused by thread actors Distributing malware putting them in any repository that you want like Microsoft in this case obviously this tends to make the files appear to be trustworthy but again this could just go anywhere it doesn't have to be strictly Microsoft they do this in a couple and they discuss look at this URL exactly what we were just seeing often times you'll see other images and videos actually put into a different location called assets but dragging and dropping anything like a text file that I just tested or an executable or a zip archive would just go into SL files even if you don't post the comment like you notice I never created that issue it'll just still be brought to life uploaded into GitHub and the blame goes to someone else the URLs look like they belong to the company's repository and a lot of folks have been chatting about this OA Labs or open analysis live Sergey an incredible person fantastic work that he does he's been stating look he actually saw a sample some malware strain using and abusing this with uh was it smart loader yeah Lua in this case frankov told bleepy computer that smart loader is commonly installed alongside other payload like oh Redline info stealer classic haven't heard anything from GitHub and Microsoft here and yeah I guess that's curious because again this in my mind has just always been the intended functionality but could be taken advantage of and hey by the way if you're not familiar with OA Labs or open analysis and open analysis live s his whole team all those individuals are geniuses incredible people doing great stuff always sharing education similar to this they even go a whole lot more deeper than I do for some disassemblers from debugging great decompilation and unraveling and extracting malware so super cool stuff please show them some love but he's talking about it on any repository that you want you can just upload this thing so at one point I had a thought could this be used as a command and control setup and structure just all over GitHub with temporary on the-fly ad hoc and ephemeral files that we upload through just dropping it into a GitHub issue without even needing to post the issue or create the comment so I wanted to think of hey how could I take advantage of this an automated way if I were to drag a file in and recreate this could I actually be taking a look at the developer tools like the browser info and see maybe in the network is there anything that I could recreate or do in an automated way Python scripts goang whatever automation we might like is there an API in the mix and you'll notice hey it posts to assets with a little bit of details here maybe an off token that's just temporary for that request obviously you need a logged in session here but is there any of this data that's worthwhile to be taken pulling out from and there are some Amazon things in the mix so I'm now realizing okay this is an S3 bucket one of those AWS hey cloud storage locations and not just a simple easy o post request with one endpoint kind of goes back and forth to GitHub production maybe a specific ID and then the unique keys and values everything necessary for that file upload I thought that hey this would be a cool video this would be something to demo and showcase and wouldn't it be even more cool if I could share a tool or at leas hey some capability some project on get up something you could download and play with to do exactly this and just spray and push out and hey use command and control capability over any random GitHub repo that just is out there on the internet now I'll be honest I'm a little bit sad because hey I wanted to get this video out previously but now that this article this bit computer write up is out and about I thought oh you know what hey we should probably get that out the door the thing is I never finished the code to create this as a tool and capability but I had this kind of canned and in my mind for maybe the month or so you can see way back to the end of March I wanted to get this out the bout this is a snippet of the code that I was playing with never finished this is really Half Baked and not totally feasible as a demo but it's kind of exactly that idea hey just manipulating recreating a lot of the network communication back and forth but I never got it to work and I have a hunch well look it's getting into a lot of those Amazon S3 shenanigans that I don't know all about I'll be the first to admit maybe you could do this with Bodo 3 maybe it's easier to just recreate this network connectivity but at the end of the day I never figured out a solution to automate it and I don't know anyone who has if you have please please please let me know I think that's pretty neat maybe that's a call to action and worthwhile if any of you are interested but it does give a little bit of a segue to some more conversations that we can have because if you were taking a look at OA lab's little stream here what he was showcasing discussing there a lot of the comments are like yeah this is clearly an S3 bucket and it's not in the repository of GitHub that should be made clear it isn't going to be a file just in the repo one thread that is worth pulling on a little bit though is that look if we're actually seeing some of this used and abuse in the wild often times real malware like the simple loader Lua thing or small loader whatever was called with they're uploading malware in azip file format so it looks like a release asset to large open repositories then they share the links as though they're the legitimate release links for that project but the release notion is interesting to me because you know how when you cut a new release of some software you publish this new version out on GitHub and you could Supply and upload these assets that are appropriate for that new version or that release that is made available and you could totally automate that there are GitHub apis and GitHub actions things to make that streamlined and easy so I was chatting with a couple of my friends on all of this hey using GitHub as a command and control framework with just regular files in and out of the repository with GitHub issues comments things you can drag drop in and out and maybe now even using assets capability when you cut a new release to do whatever you might like now this is something that we did get to build a proof of concept for take a look here is command and control just as a simple po via GitHub releases in this case you will need to automate some interaction with the API which means you'll need a GitHub access token configured and put together we can create one super duper simple I'll build out just a small sample testing and playground repository but we'll not here hey let's put in our GitHub token add that in and it will be embedded in the binary that can be obfuscated of course if you were to do this kind of thing for real but this is just the proof of concept that I wanted to showcase the idea is that we'll use the release assets of any GitHub repository to hide or smuggle some data command and control instructions Mal or whatever and because it is public right you will need to have some encryption in the mix so we'll generate some keys public and private key Pairs and then we'll have an agent that's actually going to do the work kind of get these things in and out communicate with the GitHub command and control to store and set this as a registered release asset and then say the other end of the communication is just pulling that data down decrypting it and then doing whatever it might do with it we're not doing anything in this case there isn't a full-blown client application or the C2 server itself so to speak again just a demo for Education sake so let me create a new GitHub repository we can call this whatever I don't know Nvidia driver build or something stupid doesn't need a description public private private's fine uh add a read me no doesn't care let's do it now that that's created I'll stage an access token I'm not going to show you that but you saw the instructions and the steps now let's do that demo I am inside of my Cali Linux virtual machine I'll open up a terminal with Control Alt t let me change directory into my git directory and the GitHub C2 folder I do have this cloned and downloaded and I have created just that GitHub GH token so that's present in the environment now I will go ahead and just generate the encryption Keys oh we'll mark that as executable appreciate appreciate that how about now will you work for me looking good now bear with me for just a sec we're going to have to kind of hey press the I believe button and say look for the sake of showcase we'll have our implants and commanding control instructions I don't know maybe some malware sample or the payload that we'd like here I could spit that together like run local Sam dump or something I don't know simulating that idea now back in our sandbox repository I have just added a readme file so there's some content there because ultimately we need to create a release something to start with so that our agent and our proof of concept can work with this we will create a tag I don't know just call this a hour release something for creation sake and then doesn't really matter oh what the title is yeah build release Nvidia anything this is just for the sake of showcase so let me publish that release and that is staged and set for us but now we can manipulate and add these assets with our proof of concept tooling I'll put these side by side and now I'll use our GitHub C2 agent where I can supply with the arguments that we configured for this the repository reference with tack R in this case that's just my username with the Nvidia driver build repo name we'll Supply Tac n to say a name for I don't know what might be present on the GitHub release page the file name for it we can just call that like build release or whatever and then tack P to specify the path of what we'd like to try to Showcase and bring up there let me use just that temporary file that we were working with totally not malware and fingers crossed if I run this okay that is seemingly done now let me go refresh this page I'll control shift R yeah and here is our build release just present there now say that our C2 server or the framework client whatever here at the communication it could pull that down it could go retrieve our build release and for the sake of showcase I'll just bring that into my virtual machine because it's a private repository and all that but obviously if I take a look at that build release it is just nonsense it is encrypted it is going to have some of the communication structure and a opset quote unquote that we put in there cuz it's public data but now with our tooling with a little proof of concept that we put together for using GitHub as a command and control framework we could just decrypt the file we can just pull the data out as we would have with the keys that we put together and all this trade craft here so I could at this point just use the private key for the keys that we've staged here to use our op SSL decryption routine for the file that we've just downloaded I stored that build release download in the agent directory we'll use the private key that we have and we'll decrypt this out to a out file how about that and I'll hit enter on this fingers crossed now I have my out file created and taking a look this should just be our totally not malware doxt in this case I think get staged as a zip file yeah so we could unzip that and there you have it at the very least the idea for command and control over GitHub and I got to say there were a whole lot of options here like we were talking originally about oh you know know files that just go back and forth on a repository and then look hey just actually using the issues and the comments that could create a new file upload that could go back and forth over the assets and those locations URLs that look like they're someone else's repository but even then if we use the releases and release assets that is very sneaky because once again we could use anyone else's repository Fork it from there and doing this as a GitHub release just cutting new software and New versioning Look the only only thing that even slightly indicates that something might be a Miss something's a foot there are some Shenanigans here in tradecraft is just simply the time stamp if it happens to be communicating rapidly as C2 might everything else looks completely normal and just the same as it always would for any sort of release if anything look all that I wanted to Showcase in this video is that there are multiple ways we could do some sneaky tricks with using GitHub as a command and control framework you can do that for a tons of other websites but as this one was a little bit in the Limelight you know what but I think maybe there's still more to chat about just as well with that thank you so much for watching hope you enjoyed this video please do all those YouTube algorithm things like comment subscribe and hey please show some love to our sponsors keeper security Link in the video description I'll see you in the next video
Original Description
https://jh.live/keeper || Keeper Security offers a privileged access management solution to deliver enterprise grade protection all in one unified platform -- keep your users, your data, and your environment secure with Keeper! https://jh.live/keeper
Learn Cybersecurity - Name Your Price Training with John Hammond: https://nameyourpricetraining.com
Read The Hacker Mindset by Garret Gee: https://jh.live/hackermindset
📧JOIN MY NEWSLETTER ➡ https://jh.live/email
🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
SQL Injection Is Not Dead: Why an Old Vulnerability Still Breaks Modern Applications
Medium · Cybersecurity
TryHackMe: Support Walkthrough
Medium · Cybersecurity
Phase One: Getting Situational Awareness Right
Medium · Cybersecurity
How to Detect Unauthorized Devices on Your Network with Python (A Practical Scapy Tutorial)
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI