GitHub is a popular code repository used by almost all software developers. Anyone can access it to share their code with practically anyone interested. Unfortunately, not every GitHub user is trustworthy. It has, in fact, been used to host malware at least a couple of times.

In March 2018, for instance, cybercriminals hosted cryptocurrency mining malware on GitHub. More recently, a researcher reportedly used the repository to host several malicious projects. WhoisXML API threat researcher Dancho Danchev took a closer look at one such campaign using six domains and subdomains as jump-off points.

Danchev’s findings led to the discovery of:

• More than 90 active IP resolutions of the domains and subdomains identified as indicators of compromise (IoCs), four of which were dubbed “malicious” by various malware engines
• More than 300 possibly connected domains, as they shared the IoCs’ IP addresses, 14 of which were believed to be malware hosts
• Close to 20 additional domains that used the same strings as the IoCs with different top-level domain (TLD) extensions, one of which was deemed “malicious”

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What Reports Say

Publicly available reports revealed six web properties as IoCs—ovzl[.]jl9544519[.]pr46m[.]vps[.]myjino[.]ru, ovz1[.]9147167707[.]1xdez[.]vps[.]myjino[.]ru, myjino[.]ru, kolobkoproms[.]ug, m[.]ancard[.]ru, and reshenie2014[.]ru. We used these as the starting point for our in-depth investigation.

Analysis and Findings

Screenshot lookups for these pages showed that three of them continue to host live albeit insconpiscous content.

Note the similarity between their content, though. They all seem to be pointing to myjino[.]ru.

A bulk WHOIS lookup for the web properties identified as IoCs revealed that all of them were bulk-registered in the U.S. on 5 October 2011, with R01-RU as their registrar.

DNS lookups for the domains and subdomains showed that they resolved to 92 unique IP addresses, all geolocated in Russia and managed by Internet service provider (ISP) JSC RTComm.RU. Given that WHOIS and DNS records all point to Russia, could the perpetrators be based there?

According to malware checks on Threat Intelligence Platform (TIP), four of the IP address resolutions—195[.]161[.]62[.]100, 81[.]177[.]139[.]113, 81[.]177[.]141[.]241, and 81[.]177[.]135[.]89—were dubbed “malicious” by various malware engines.

To find more possibly connected artifacts, we used the IP addresses as reverse IP lookup search terms. That led to the discovery of 307 additional domains, 14 of which were tagged “malware hosts” based on a bulk TIP malware check. These properties were:

• superdocs[.]ru
• melindas[.]ru
• kinksdoc[.]ru
• nodeline[.]xyz
• sidelink[.]xyz
• yahooads[.]ru
• aols-billing[.]us
• financeyahoo[.]hk
• photoyahoo[.]us
• yahoomessenger[.]us
• yahoopersonals[.]us
• yahoogeocities[.]us
• yahoodigital[.]us
• aolbillupdate[.]us

We also looked for additional domains via Domains & Subdomains Discovery using the strings “myjino,” “kolobkoproms,” “ancard,” and “reshenie2014” as search terms. That uncovered 18 domains. We limited the domains to those with the exact terms but different TLD extensions. Of these, one—ancard[.]cn—was malicious.

How to Stay Safe from Rogue GitHub Repositories

While GitHub has been employing stricter rules to avoid hosting malware since 2021, cyber attackers are always on the lookout for ways to bypass security measures. As an additional precaution, developers may want to subject their GitHub downloads to malware checks before using them on network-connected systems. Avoiding access to the web properties identified as malicious in this post may also be a worthy endeavor.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.