GitHub Repositories with Phony PoCs and Malware

Updated on 2022-10-24: GitHub Repositories with Phony PoCs and Malware

In a technical paper published earlier this month, researchers from Leiden Institute of Advanced Computer Science present findings from their study of the distribution of malicious proof-of-concept exploits on GitHub. In their paper, the researchers write, “We have proposed an approach to detect if a PoC is malicious … [that] relies on detecting the symptoms we have observed in the collected dataset, for example, calls to malicious IP addresses, encoded malicious code, or included Trojanized binaries. With this approach, we have discovered 4893 malicious repository out of 47313 repositories that have been downloaded and checked (i.e., 10.3% of the studied repositories have symptoms of malicious intent). This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub.”

Note

• Fake exploits have a long history, and more recently, GitHub has become the favorite place to post real as well as fake exploits. Whenever you download an exploit, no matter if it comes from GitHub or other sources, first try to understand what the code is doing and be suspicious if parts of the code are particularly obfuscated or hard to read. Even once you review the exploit, run it with caution on isolated machines.
• I know you want to download the exploit PoC and try it out in your lab. The message here is that they are often loaded with added malware you’re not expecting. Make sure you fully understand any obfuscated or binary code downloaded before executing it. Leverage OSINT tools like VirusTotal to analyze binaries. Also beware of network connections made / attempted in the lab in case the code is calling for more components or phoning a friend.

Read more in

• How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub (PDF)
• Thousands of GitHub repositories deliver fake PoC exploits with malware

Overview: GitHub flood with fake and malicious PoCs

If you’re a security researcher or IT admin tasked with defending your network and you download proof-of-concept code from GitHub, there’s a one in ten chance that you will download and run a fake or malicious exploit, according to the results of a sprawling study performed by academics from Leiden University in the Netherlands.

The researchers said they downloaded and analyzed 47,313 GitHub repositories containing PoC code for known vulnerabilities discovered between 2017 and 2021.

The research team analyzed if the exploit code communicated with known malicious IP addresses, if the exploit contained any obfuscated hexadecimal or Base64 code, or if the exploit contained known trojanized binaries.

The team said that using this analysis method, they identified 4,893 malicious repositories—roughly 10.3% of all the scanned repos. Sixty of these are still live today; the researchers told BleepingComputer in an interview.

Academics said the number of malicious repositories was high in 2019, 2020, and 2021, compared to 2017 and 2018. The researchers argued that this happened because those three years saw “a few CVEs that have had a massive security impact” rather than threat actors focusing on this particular distribution method.

Among the most dangerous examples the research team saw, they found exploits laced with Cobalt Strike backdoors, infostealers, and a plethora of remote access trojans.

Besides obviously malicious PoCs focused on collecting and exfiltrating data or infecting machines with malware, the Leiden University team also saw fake or joke PoCs where there was no malintent, such as your obligatory rick-roll.

The infosec community went past its childish naivety stage a long time ago, so most researchers and IT admins don’t run PoCs directly on their production systems these days (hopefully 🤞). This study just puts a number on the chances of getting infected with malware if you’re running PoCs shared by some unknown account named PapaSmurf, rather than waiting for someone like Rapid7 or TrustedSec to release one.