NewssecuritySoftwareJune 2, 20200GitHub warns developers against a new malware

GitHub’s security team announced that they have found a malware, named Octopus Scanner, in 26 repositories.

GitHub’s security team has announced that they have received a message from a security researcher who pinpoints a malware in GitHub-hosted repositories. GitHub’s analysis shows that the malware is designed to enumerate and backdoor NetBeans projects. The malware is dubbed “Octopus Scanner” and as a result of GitHub’s investigation, it is found in 26 open-source projects. Security researcher JJ provided detailed information about the repositories that were vulnerable. JJ states:

The malware is capable of identifying the NetBeans project files and embedding malicious payload both in project files and build JAR files. Below is a high-level description of the Octopus Scanner operation:

  • Identify user’s NetBeans directory
  • Enumerate all projects in the NetBeans directory
  • Copy malicious payload cache.dat to nbproject/cache.dat
  • Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build
  • If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.

Low detection rate

GitHub’s analysis also shows that this malware has a low detection rate of 4 out of 60, according to the VirusTotal dashboard. The malware disguises itself as an ocs.txt file. GitHub also stated:

“While we have seen many cases where the software supply chain was compromised by hijacking developer credentials or typosquatting popular package names, a malware that abuses the build process and its resulting artifacts to spread is both interesting and concerning for multiple reasons. In an OSS context, it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked, and used on potentially many different systems.

The actual artifacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact. Since the primary-infected users are developers, the access that is gained is of high interest to attackers since developers generally have access to additional projects, production environments, database passwords, and other critical assets. There is a huge potential for escalation of access, which is a core attacker objective in most cases.”

Leave a Reply