Slashdot Mirror

← Back to Stories (view on slashdot.org)

GitHub Repository Owners Targeted By Data-Stealing Malware (threatpost.com)

Posted by EditorDavid on from the committing-changes dept.

"Phishing emails zeroing in on developers who own Github repositories were infecting victims with malware capable of stealing data through keyloggers and modules that would snag screenshots," writes ThreatPost. An anonymous reader quotes their report: Researchers at Palo Alto Networks this week said that in mid-January, an unknown number of developers were targeted with emails purporting to be job offers. The attachments instead carried malicious .doc files containing an embedded macro. The macro executed a PowerShell command that would grab malware from a command and control site and execute it... [Senior threat researcher Brandon] Levene said it's unknown how widespread the January campaign was or why developers were targeted, but given the vast number of projects hosted on the platform, it would likely be an attractive target for either criminals and nation-state attackers.
Levene said the PowerShell script drops a binary named Dimnie, which has been around since 2014 but before January targeted primarily Russian-speaking targets. Someone who received two different emails said they appeared to be hand-crafted, according to Ars Technica, and referenced data changed that same day. They believe this suggests "a focused campaign explicitly targeting targets perceived as 'high return investments,' such as developers (possibly working on popular/open source projects)."

63 comments

  1. Re:Darwin at work, I guess. by Blade · · Score: 1

    Maybe I misread TFA but where does it mention mail agents automatically executing the macros? I assume the mails were hand crafted, to encourage the recipients to open the attachment, and that the mail agents were irrelevant?

  2. Devs by castus · · Score: 1

    The attachments instead carried malicious .doc files containing an embedded macro.

    I hope most devs know better than to open a .doc from some stranger on the internet.

    1. Re:Devs by Blade · · Score: 1

      Hope away. I'm sure plenty haven't got a clue.

    2. Re:Devs by lucasnate1 · · Score: 1

      I think that it's insane that they have to know it. We are not afraid of opening .txt files, why should something more structured be that different?

      --
      Avantgarde Hebrew science fiction
    3. Re:Devs by Anonymous Coward · · Score: 0

      Read != Execute

    4. Re:Devs by Anonymous Coward · · Score: 1

      We are not afraid of opening .txt files

      We are not?

    5. Re:Devs by Anonymous Coward · · Score: 5, Insightful

      Many trojans were distributed as resume.txt.exe at one point, so you really did have to be afraid of opening ".txt" files since the Windows default at the time would hide the .exe... unless of course you were one of the people who understood the risk. Is this insane? Well yes... Microsoft should've never hid the extension by default. The fault is entirely theirs. Just like how the fault is entirely theirs that a .doc file has a built-in control language easily used to contain a malicious payload.

      Simple solution is not to use the programs that execute the malicious code while reading a document, but this falls under 'having to know it' and isn't a good solution for the commons.

    6. Re:Devs by gatkinso · · Score: 1

      As a general rule: I don't open stuff from email, regardless of who sent it.

      --
      I am very small, utmostly microscopic.
    7. Re:Devs by religionofpeas · · Score: 1

      But do you open stuff you get somewhere else ? e-mail is just a medium.

    8. Re:Devs by lucasnate1 · · Score: 2

      Text documents should not be executed, that's my point.

      --
      Avantgarde Hebrew science fiction
    9. Re:Devs by fuzzyfuzzyfungus · · Score: 4, Insightful

      Because one aspect of the 'more structured' is a handy mechanism for executing code on your system if you open it. If text editors habitually executed any shell scripts included in .txt files; we'd be nervous about those as well. Greater complexity is hardly completely safe, since it makes implementation of software capable of opening the file more complex; but that's a comparatively minor difference of degree compared to the difference between files types where automatic execution is a feature and ones where it's a bug.

    10. Re:Devs by Anonymous Coward · · Score: 0

      But if the .exe is hidden the .txt would be hidden too. Watching an icon name "document.txt" should be suspicious.

    11. Re:Devs by Anonymous Coward · · Score: 0

      As a developer I usually find opening doc files from email to be a waste of time. They are seldom documentation for anything useful as their name might suggest, and usually show up as a bunch of random characters in vi. I don't remember the last time bash got infected by a Powershell macro virus either.

    12. Re:Devs by Anonymous Coward · · Score: 2, Insightful

      As a general rule: I don't open stuff from email, regardless of who sent it.

      Yes, that's because you don't have a job.

      Those of us with actual paying jobs don't have the luxury of not opening e-mail attachments.

    13. Re:Devs by Anonymous Coward · · Score: 0

      I'm sure they did the needful and opened it straight away.

    14. Re:Devs by ctilsie242 · · Score: 1

      This makes me wonder why we have not moved back to a Harvard architecture for fundamental computing. The #1 way that the bad guys get in is that data gets executed somehow, be it HTML, Flash, or anything winding in documents. Having separate data and code spaces would stop this line of attack cold.

    15. Re:Devs by Dutch+Gun · · Score: 1

      When your "data" contains interpreted scripting bytecode, there's not much of a distinction there. A Python interpreter is just "reading" a Python script, right? No execution permissions required, but it can still be dangerous. Ever since document formats like Word, PDF, or even HTML put embedded scripting inside, any document you open could be just as dangerous as an executable file.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    16. Re:Devs by ctilsie242 · · Score: 1

      If I have to open an attachment, it goes in a VM with no virtual adapters. If it is a Trojan and craps all over the VM, oh well. I just roll back the snapshot.

    17. Re:Devs by Anonymous Coward · · Score: 0

      True, but these days it makes good sense to only ever do that in a secure sandbox VM without network connectivity.

      Not sayin' I think that's a great world, just that it's the world we have.

    18. Re:Devs by lucasnate1 · · Score: 1

      It's more than just scripting code. We can also use emulators to run code of old games WITHOUT having to worry about it somehow downloading things from the internet. The problem is that code in docs is allowed to do way too much.

      --
      Avantgarde Hebrew science fiction
    19. Re:Devs by AHuxley · · Score: 1

      Well AC how far up a different network can an attachment be looked at without the infection spreading?
      Perhaps consider any attachments on a safer computer and see whats in the file before it gets to a computer/network thats vital?
      Lots of strange OS exist, lots of different file systems. Some of them should be able to network and display an attachment.

      --
      Domestic spying is now "Benign Information Gathering"
    20. Re:Devs by Anonymous Coward · · Score: 0

      A Python interpreter is just "reading" a Python script, right? No execution permissions required, but it can still be dangerous.

      I would have to either "chmod 755 somescript.py" first (assuming it begins with something like "#!/usr/bin/python-exec2c"), or I would have to manually/intentionally run python and tell it to read that script.

      I really wouldn't call that dangerous as it's not something I'm going to do unintentionally. If Windows followed this model it would greatly reduce the problem of macro/script malware. Yes, naive users could still be enticed to perform the above steps, just like users have been enticed to run unknown .exes from unverifiable sources in the past. The point is, automating this failure in the name of "user friendly" is what caused it to be such a huge problem.

      That a pistol *could* be aimed at your foot is not the problem. A pistol owner who aims it at his own foot and pulls the trigger is an instance of operator error. The pistol only did what it was "told" to do. A pistol that automatically takes aim and automatically fires at a foot anytime it's pointed downward is the great Ease Of Use enjoyed by satisfied Microsoft customers.

    21. Re:Devs by Anonymous Coward · · Score: 0

      Simple solution is not to use the programs that execute the malicious code while reading a document, but this falls under 'having to know it' and isn't a good solution for the commons.

      Even a simple text editor can execute the text when you hit undo or redo. Even keeping track of the undo queue can result in the execution of text. That is just one application of the many in the system. The problem is systemic, total security is damn near impossible.

    22. Re:Devs by AmiMoJo · · Score: 1

      To be fair, most people don't understand file extensions and they are a shitty way of determining the content of the file. The problem is, Microsoft hid them and didn't replace them with anything better.

      I've had one of these phising emails just now. Had my correct name and address in it. I guess with all the data leakage such things are bound to get and be sold for pennies if you have ever bought anything online. I just wish I had started adding random letters to my address earlier so I could trace the source of the leak.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    23. Re:Devs by Eravnrekaree · · Score: 1

      But then they find a way to break out of the VM

    24. Re:Devs by Eravnrekaree · · Score: 1

      Not really necessary at the CPU level, a good OS can allow you to do a RBAC rule that will block any file from being executed in a user writeable directory. It should be up to the OS to provide a complete security model. The thinking of putting overly complex security models into the CPU is wrong. This is because if a bug slips in its harder to update the CPU. The CPU has basic page functionality, NX bits, privelege levels adn so on that provide the basic tools needed for the OS to implement any security model needed.

    25. Re:Devs by Eravnrekaree · · Score: 1

      The code should go into a sandbox, or not be run at all. A sandbox is an option both OS level, and the interpreter. Running code without that in a DOC file IS nuts. Reducing the kernel attack surface like Chrome has done is one tactic that can be used, using a controller/controllee sandbox. Its not rocket science. Its just plain incompetence to not do this.

    26. Re:Devs by Eravnrekaree · · Score: 1

      It should be pointed out x86-64 has security facilities that are equivalent to a harvard architecture, protection levels, setting pages with read/write/execute bits and so forth, as with the NX bit. The problem here is Word, and the security profiles at the OS level that allow scripts to access the filesystem. A harvard architecture would introduce inefficiencies in memory and bus utilization without giving you anything that you cant get with page tables and privilege levels on

    27. Re:Devs by Eravnrekaree · · Score: 1

      Step one would be to disallow any execution of files in the user writeable directories. But this does not fix the problem of the interpreter. One way might be to develop a RBAC profile or a program with an interpreter like Word, allowing it some access to configuration values it needs, but requiring user confirmation before any other file access, or restricting file access to a certain directory. The problem is differentiating between good accesses such as to a document the User wants to load, and malicious accesses. These problems can also be solved in Word itself by running all scripts in both an interpreter security profile and in a seperate process controlled by OS level RBAC. But with Word, you cant trust it to get this right or to do it at all. Unfortunately warning a user before a file is accessed by Word is imperfect since users tend to ignore such warnings. Running seperate instances of word in each their own sandbox which gives it access to just one document file is another solution to this.

    28. Re:Devs by dinfinity · · Score: 1

      To be fair, most people don't understand file extensions

      There is no cure for stupid. I do agree with you that Microsoft has exacerbated it starting with Windows 95 by hiding the file system as much as possible, though.

      and they are a shitty way of determining the content of the file.

      Extensions are a great way to quickly denote the type of a file. They are portable across all file systems and platforms, short and recognizable by convention, and for the most common files generally unique enough. The fact that 'gif' and 'mp3' are commodity terms nowadays speaks to the power of file extensions.

      Don't get me wrong: I'm not saying they are perfect. But they are actually pretty damn effective.

    29. Re:Devs by Eravnrekaree · · Score: 1

      One could use something like RBAC to give interpreter just the permissions they need, something like AppArmor, AppArmor or maybe some kind of solution could probably lock the interpreter out of trying to read a file from the users home directory. Part of the problem is the same file access calls are used by python to both access data it needs and to access the script to run. The interpreter may need to access some data out of the home directory. An interpreter based policy seems to be one of the few ways the problem can be sealed, to tell the interpreter to not execute files in the home directory. Otherwise, the user can be warned before a user directory file is accessed, or a runtime RBAC profile could be generated with access just to the user directory data file the interpreter will need. Unfortunately none of these are really perfect.

    30. Re:Devs by Anonymous Coward · · Score: 0

      Step one would be to disallow any execution of files in the user writeable directories.

      I thought we were talking about developers.

    31. Re:Devs by Anonymous Coward · · Score: 0

      So download the file; don't do some stupid auto-open crap from your browser.

    32. Re:Devs by goose-incarnated · · Score: 1

      This makes me wonder why we have not moved back to a Harvard architecture for fundamental computing. The #1 way that the bad guys get in is that data gets executed somehow, be it HTML, Flash, or anything winding in documents. Having separate data and code spaces would stop this line of attack cold.

      How would this help email .doc(x) attacks? The malicious code is stored in data memory, the word.exe program executes in executable memory. The word.exe program then interprets the data and does a malicious action.

      --
      I'm a minority race. Save your vitriol for white people.
  3. Re: MS Fails Again by Anonymous Coward · · Score: 0

    Since when is word open source?

    We don't want to know about your open sores. Seek medical advise. They probably have medications that might help you.

  4. Seems appropriate. by Gravis+Zero · · Score: 2

    If you're still using Windows after everything Microsoft has done, you clearly like the abuse, so this is just one more thing for you suffer through.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Seems appropriate. by doom · · Score: 1

      es, that's what I was thinking: these are carefully crafted attacks against high-value targets... who are still using Microsoft products?

  5. Stupidity and/or ignorance in action by Anonymous Coward · · Score: 0

    It's not so hard not to be infected by a virus. I never have and I even stopped using antiviruses. Waste of CPU. Just be smart. If people have to get infected to learn their lessons, then so be it. The burnt hand teaches best.
    In a workplace, sysadmins should not allow such things to happen, either. If they do, then fire them and get better ones.

  6. Spam filtering 101... by Pascoea · · Score: 1
    From the link in the article:

    From: zayavka@bsme-mos.ru
    Subject: question
    Hey. I found your software is online. Can you write the code for my project? Terms of reference attached below. The price shall discuss, if you can make. Answer please.

    Sorry, that doesn't pass the smell test. It reeks like a phishing attempt. 1) Unsolicited e-mail. 2) Broken English. 3)Request to open attachment. 4)Vague subject. 5) Sketchy e-mail address.

    Zero sympathy for people who fell for this. Nerds should know better.

  7. Re:Open Sores Fails Again by Anonymous Coward · · Score: 0

    RTC belongs at the bottom of a very long list of source control software.

    On the plus side, you can gets the sales guys to wine and dine if your company is huge.

  8. The worst smell of all by SuperKendall · · Score: 1

    No way am I working for someone that still uses Word or sends anything in .doc format.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  9. Really? by Pope+Raymond+Lama · · Score: 1

    Windows Based GitHub Repository Owners Targeted By Data-Stealing Malware -
    Here, I fixed the title for you.

    --
    -><- no .sig is good sig.
  10. Only if they use Microsoft Windows by najajomo · · Score: 1

    "Phishing emails zeroing in on developers who own Github repositories were infecting victims with malware capable of stealing data through keyloggers and modules that would snag screenshots,"

  11. Read vs. Execute vs. Interpret by DrYak · · Score: 1

    This makes me wonder why we have not moved back to a Harvard architecture {...} Having separate data and code spaces would stop this line of attack cold.

    The problem is that the vast amount of modern thing isn't code that is executed as-is on the CPU,
    the vast majority of modern apps are written in some high-level extremely abstract language that gets interpreted.

    (That includes executable script portion on most web pages and macros embed in nearly every modern format - including docx - with maybe the exception of a few plain boring image formats)

    So either you end up with code running in code space that reacts and changes behaviour (interprets scripts) based on data located in the data space.
    Or you need to consider nearly everything as code, including .docx files, and only consider data a few.
    Like the README file and... huh... that's about it.

    (For fuck's sake, even some text/image formats like Post-Script are turing complete).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  12. Libreoffice by Eravnrekaree · · Score: 1

    What about LibreOffice? Does it run code in document files/allow them access to the system?

  13. Re:Arseholetechnica I want to know 1 thing by Anonymous Coward · · Score: 0

    Aww, did Ars ban you from spamming up their articles? Poor little spammer. My opinion of Ars just went up!

  14. GitHub monoculture by Anonymous Coward · · Score: 0

    The only surprising thing is that this story wasn't in the news years ago. GitHub is an enormous single point of failure and it's trusted by too many people. Compromise a GH repo and you've also compromised every fool downloading it as a dependency or piping wget straight into sudo (yes, that's actually a common thing "developers" do now).

  15. Re:Arseholetechnica I want to know 1 thing by Anonymous Coward · · Score: 0

    I guess no one likes you there either.

  16. Re:Arseholetechnica I want to know 1 thing by Anonymous Coward · · Score: 0

    Maybe they don't like arsHoles like you.

  17. Prevent Powershell virus with one weird trick by MrKaos · · Score: 1

    Set-ExecutionPolicy AllSigned

    --
    My ism, it's full of beliefs.
  18. Re:Open Sores Fails Again by Anonymous Coward · · Score: 0

    wow, like it only took you 20 years to figure that line out. Your wit is as dull as a macro virus on a floppy disk.

  19. Arseholetechnica I want to know 1 thing by Anonymous Coward · · Score: 0

    See my subject: Who got BITCHSLAPPED & BANNED from the whitehouse by our good President Trump? YOU DID (CNN = Arstechnica = THE VERY FAKE NEWS) hahahahahahaha (you losers).

    APK

    P.S.=> Biggest bunch of underachieving PUSSY losers & liars I ever saw online (especially fatass Jay Little, Jeremy Reimer, a WHIMP w/ a mail order Chinese Bride, & GOITERMAN Peter "not too" Bright)... apk

  20. Wrong: EAT YOUR WORDS punk by Anonymous Coward · · Score: 0

    I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

    his hosts program is actually pretty good by xenotransplant

    I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

    take a look at the APK hosts file engine by SuperKendall

    APK is kinda right. I've tried his hosts file generating software. It works by bmo

    I like your host file system by Karmashock

    I find your hosts file admirable by vel-ex-tech

    his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

    * Recommended & hosted by Malwarebytes' hpHosts!

    APK

    P.S.=> How did eating your words taste washed down w/ the bitter taste of SELF-defeat? Like your FOOT IN YOUR MOUTH ramming them back down your chicken-neck throat? apk