Cyber miscreants have inclined to GitHub and GitHub-related services to stealthily distribute cryptocurrency mining malware without user consent.
Git is a tool, a revision control system to manage source code history. Git stores this information in a data structure called repository. GitHub is a static site hosting service of Git repository that aims to manage project or set of files, personal and organization pages.
Cryptocurrency mining malware are developed to take over computers’ resources and harness the system’s processing power to generate revenue. According to the researches by renowned cyber security companies, a single cryptocurrency mining botnet (collection of internet- connected devices like PCs, mobiles, servers etc infected with the common type of malware without user knowledge) can earn up to $30,000 per month to its developers.
Many cryptojacking campaigns have been identified in the past months that left GitHub attacked . For instance, forking random projects on GitHub and hiding malicious executable in the directory structure of these projects has been a common practice since long.
When crooks discovered that their malicious tactics have been discovered and combated by security researchers, they devised a new approach that used GitHub-related services instead.
Developers have found a new deceitful way to mine cryptocurriences via RawGit. RawGit is a web app that acts as a caching proxy for GitHub files. It is an unofficial Github service that is used to serve requested files from GitHub repositories to externally hosted CDN.
RawGit forwards user requests to GitHub, caches the responses, and relays them to your browser. The caching layer ensures that that GitHub has minimal load and provides quick and easy access to files directly from GitHub repository.
In recent cryptojacking operation Cybercriminals upload Cryptocurrency mining malware script on GitHub account named jdobt and then cached the raw file using RawGit. They then left the GitHub attacked by deleting the original account to remove evidences.
The malicious code was then embedded on hacked sites using RawGit URL, a domain that is usually considered to be authentic and hence not susceptible to additional security software scans.
Moreover, RawGit URLs with a reference to these malicious files existed even after being removed from GitHub, making it a preferable choice over direct links to GitHub.
The technique, cleverly planned to abuse RawGit URLs – is a service known only to web developers who use this service for personal testing or for sharing temporary demos with few people during development.
The attempt to abuse RawGit turns out to be a huge fail as:
Group behind the campaign found it clever to keep the malicious scripts online even after deleting them from GitHub. However, Rawgit’s quick response purged the malicious URL within hours after being reported and the URL now returns ‘403 error’.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.