- GitHub is being weaponized as malware infrastructure, report warns
- Emmenhtal and Amadey are part of a coordinated, multi-layered attack chain
- Victims are mostly Ukrainian organizations, but all GitHub users should be on their guard
Security researchers have uncovered a sophisticated malware-as-a-service (MaaS) operation which exploits public GitHub repositories to compromise its targets.
In a blog post, Cisco Talos said the threat actors evolved their delivery tactics, moving away from traditional phishing methods and into GitHub, which is often whitelisted in enterprise environments.
GitHub is an extremely popular platform in the open source world, and as such is under a constant barrage of attacks. This batch of malicious repositories was removed, just like countless before it.
How to defend against GitHub-borne attacks
The campaign sought to deliver two malware families – Emmenthal and Amadey – mostly to organizations in Ukraine.
Emmenthal is a malware loader that usually drops SmokeLoader, another loader. While a loader loading a loader doesn’t sound logical at first, there is a strategic rationale behind it.
Emmenhtal is designed as a stealthy, multistage downloader that excels at initial infection and evasion. Once a foothold is secured, it hands off the next phase of the attack to SmokeLoader, which is a feature-rich modular loader specializing in post-infection operations.
Amadey, on the other hand, is a botnet that was first spotted around 2018, mostly sold on Russian-speaking cybercrime forums. It acts as a modular downloader and system profiler, capable of delivering a wide range of malware including information stealers and ransomware.
In this campaign, Amadey was hosted on GitHub and disguised in various ways, such as an MP4 file, or embedded in Python scripts like `checkbalance.py’.
To defend against this, and other threats like it, businesses should enforce strict filtering for script-based attachments, keep a close eye on PowerShell execution, and review GitHub policies, wherever possible.
They should also go for defense-in-depth and behavioral monitoring, as these can help spot shady download patterns, or payloads being executed on targeted machines.
