|

Threat Intelligence | Analysis of a GitHub Poisoning Attack Disguised as Recruitment

The attacker sends a GitHub repository by a recruitment message and persuades the goal to run the MVP earlier than the interview.

The account introduced itself as a Web3 funding and enterprise skilled, with a historical past of posting about undertaking investments, product improvement, and associated subjects. As a outcome, when the attacker despatched the GitHub repository, the goal was extra more likely to understand it as reputable undertaking materials fairly than a malicious supply.

The related account was introduced as having a Web3 funding and enterprise background.

After acquiring the repository, the SlowMist Security Team examined the undertaking code and startup course of.

While reviewing the undertaking configuration, we seen a suspicious JavaScript file that was loaded as a Tailwind plugin:

theme/js/auron-core.min.js

The file was referenced within the Tailwind configuration. As lengthy as the goal adopted the undertaking’s directions and executed the event or construct instructions, Node.js would load and execute the file by require().

theme/js/auron-core.min.js was not a reputable frontend element or Tailwind plugin. Its code was closely obfuscated and really served as the first-stage loader of the malware.

The loader spawned a number of hidden Node.js little one processes and injected three second-stage scripts into them. These scripts have been liable for stealing browser and pockets knowledge, trying to find and importing native recordsdata, and establishing a distant management channel.

Unlike faux airdrop pages, malicious paperwork, or assaults that trick victims into executing terminal instructions, this marketing campaign embedded the malicious code immediately into what seemed to be a reputable improvement undertaking. The precise danger materialized domestically — solely when the goal cloned the repository and launched the undertaking was the malicious code executed.

MistEye Response

MistEye is a Web3 menace intelligence and dynamic safety monitoring system independently developed by SlowMist. It integrates safety monitoring and menace intelligence aggregation capabilities to supply customers with real-time danger alerts and asset safety.

MistEye promptly synchronized the chance by its menace intelligence feeds and buyer alert channels.

Malware Analysis

This part focuses on theme/js/auron-core.min.js within the repository. The evaluation covers its execution path, runtime setting, first-stage loader conduct, second-stage payload obligations, C2 communication, command protocol, IOCs, and forensic investigation strategies.

1. Sample Overview and Execution Trigger

The evaluation goal is theme/js/auron-core.min.js.

Similar Posts