Researchers have uncovered a network of GitHub accounts containing backdoored versions of legitimate software. In some cases, the doctored applications secretly downloaded bot software that could be used to remotely bid on high-value sneakers.
Researchers at DFIR.it seem to favour quality over quantity. They blog roughly once each year, but when they do it’s a doozy. This year’s blog contains a detailed investigation into a network of over 300 accounts on GitHub, an online service that allows people to store and collaborate on software projects. The accounts promoted a mixture of Windows, Linux and Mac OS software with malware backdoors.
The researcher, who goes by the name JJ, found what claimed to be an installer for JXplorer, a Java-based LDAP browser and editor. They found that the fake installer included functionality not in the official JXplorer installer, which led them down a rabbit hole of fake software and dummy accounts.
The installer downloaded and executed code from a free dynamic DNS provider designed to run in Microsoft’s Powershell command line shell. Powershell is a legitimate tool for sysadmins, but intruders also often use it to execute commands because it allows low-level access to the operating system. Downloading and executing Powershell code is an unusual thing for an installer to do.
The installer also installed
blazebot, which is a software bot that enables people to keep trying to buy new, limited edition sneakers as they become available on e-commerce sites. The bot was connected to supremenewyork.com.
Why would anyone do that? As it turns out, sneakerbots are big business. The world of ticket bots, which constantly hammer online ticket sales sites to buy tickets when they first appear, is relatively well-known. The sneaker-buying subculture is less public, but ‘sneakerheads’ will pay hundreds of dollars for the mere chance of buying the latest soft shoe brands.
The bot seemed to match Supreme New York Blaze Bot, a sneakerbot demonstrated on YouTube. The person who uploaded that video has the same name as the person who owns the blazebot repository on GitHub.
JJ analysed other code in the fake installer and found it calling out to hardcoded URLs, from which it downloaded more code that looked like a remote access tool (RAT). This in turn communicated with backend command and control servers from which it could download new code. Finally, it also extracted the username from a user’s .gitconfig file, which is the file containing settings for the git software repository used on many developer machines.
Digging further, JJ searched for JXplorer on GitHub and found repositories using its name. Rather than clones of the real repository (which people often create if they’re working on new open source features), these were unique repositories. Some of them ranked higher than the official repository, with more GitHub stars. Checking the Linux JXplorer installer in one of these repos, JJ found more malicious code that infected the host machine.
JJ analysed other GitHub accounts that starred or followed the fake JXplorer repository and found telltale signs of dummy accounts created automatically. These included clusters of accounts created at the same time, often hosting only one or even no repositories. These accounts all starred or subscribed to each other’s repositories, creating a network of dummy GitHub accounts that bolstered each other’s reputation.
Analysing one of these accounts, JJ found backdoored software containing malicious code that tried to download a file from a SourceForge project. That project seemed to belong to the same person that owned the original blazebot repo on GitHub. GitHub has taken down practically all the accounts in the network, although the account containing the blazebot repository is still up at the time of writing.
What’s the takeaway here? There are several.
First: JJ’s blog is a great example of online digital investigations, and worth reading for anyone interested in getting involved in the field.
Second: Sneakerbots. Who knew?
Third: Creating subnetworks of accounts to bolster reputation for malicious purposes is a thing, and people are doing it on GitHub now.