Home / Industry

Who Could Be Behind the Latest GitHub-Hosted Malware Infrastructure?

GitHub is a popular code repository used by almost all software developers. Anyone can access it to share their code with practically anyone interested. Unfortunately, not every GitHub user is trustworthy. It has, in fact, been used to host malware at least a couple of times.

In March 2018, for instance, cybercriminals hosted cryptocurrency mining malware on GitHub. More recently, a researcher reportedly used the repository to host several malicious projects. WhoisXML API threat researcher Dancho Danchev took a closer look at one such campaign using six domains and subdomains as jump-off points.

Danchev’s findings led to the discovery of:

  • More than 90 active IP resolutions of the domains and subdomains identified as indicators of compromise (IoCs), four of which were dubbed “malicious” by various malware engines
  • More than 300 possibly connected domains, as they shared the IoCs’ IP addresses, 14 of which were believed to be malware hosts
  • Close to 20 additional domains that used the same strings as the IoCs with different top-level domain (TLD) extensions, one of which was deemed “malicious”

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What Reports Say

Publicly available reports revealed six web properties as IoCs—ovzl[.]jl9544519[.]pr46m[.]vps[.]myjino[.]ru, ovz1[.]9147167707[.]1xdez[.]vps[.]myjino[.]ru, myjino[.]ru, kolobkoproms[.]ug, m[.]ancard[.]ru, and reshenie2014[.]ru. We used these as the starting point for our in-depth investigation.

Analysis and Findings

Screenshot lookups for these pages showed that three of them continue to host live albeit insconpiscous content.

Note the similarity between their content, though. They all seem to be pointing to myjino[.]ru.

A bulk WHOIS lookup for the web properties identified as IoCs revealed that all of them were bulk-registered in the U.S. on 5 October 2011, with R01-RU as their registrar.

DNS lookups for the domains and subdomains showed that they resolved to 92 unique IP addresses, all geolocated in Russia and managed by Internet service provider (ISP) JSC RTComm.RU. Given that WHOIS and DNS records all point to Russia, could the perpetrators be based there?

According to malware checks on Threat Intelligence Platform (TIP), four of the IP address resolutions—195[.]161[.]62[.]100, 81[.]177[.]139[.]113, 81[.]177[.]141[.]241, and 81[.]177[.]135[.]89—were dubbed “malicious” by various malware engines.

To find more possibly connected artifacts, we used the IP addresses as reverse IP lookup search terms. That led to the discovery of 307 additional domains, 14 of which were tagged “malware hosts” based on a bulk TIP malware check. These properties were:

  • superdocs[.]ru
  • melindas[.]ru
  • kinksdoc[.]ru
  • nodeline[.]xyz
  • sidelink[.]xyz
  • yahooads[.]ru
  • aols-billing[.]us
  • financeyahoo[.]hk
  • photoyahoo[.]us
  • yahoomessenger[.]us
  • yahoopersonals[.]us
  • yahoogeocities[.]us
  • yahoodigital[.]us
  • aolbillupdate[.]us

We also looked for additional domains via Domains & Subdomains Discovery using the strings “myjino,” “kolobkoproms,” “ancard,” and “reshenie2014” as search terms. That uncovered 18 domains. We limited the domains to those with the exact terms but different TLD extensions. Of these, one—ancard[.]cn—was malicious.

How to Stay Safe from Rogue GitHub Repositories

While GitHub has been employing stricter rules to avoid hosting malware since 2021, cyber attackers are always on the lookout for ways to bypass security measures. As an additional precaution, developers may want to subject their GitHub downloads to malware checks before using them on network-connected systems. Avoiding access to the web properties identified as malicious in this post may also be a worthy endeavor.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global