GitHub CDN Deleted
News | 08/02/2018

Cryptojacking Campaign Alert! GitHub Account and Unofficial GitHub CDN Removed

About: GitHub and GitHub-related services suspected of distributing crypto currency mining malware without user consent deleted. Many cryptojacking campaigns have been identified in the past months that abused GitHub. When crooks discovered that their malic...  Read More  

| News | Cryptojacking Campaign Alert! GitHub Account and Unofficial GitHub CDN Removed

GitHub Attacked

Cyber miscreants have inclined to GitHub and GitHub-related services to stealthily distribute cryptocurrency mining malware without user consent.

Git is a tool, a revision control system to manage source code history. Git stores this information in a data structure called repository. GitHub is a static site hosting service of Git repository that aims to manage project or set of files, personal and organization pages.GitHub CDN Deleted

Cryptocurrency mining malware are developed to take over computers’ resources and harness the system’s processing power to generate revenue. According to the researches by renowned cyber security companies, a single cryptocurrency mining botnet (collection of internet- connected devices like PCs, mobiles, servers etc infected with the common type of malware without user knowledge) can earn up to $30,000 per month to its developers.

Many cryptojacking campaigns have been identified in the past months that left GitHub attacked . For instance, forking random projects on GitHub and hiding malicious executable in the directory structure of these projects has been a common practice since long.

When crooks discovered that their malicious tactics have been discovered and combated by security researchers, they devised a new approach that used GitHub-related services instead.

What is RawGit?

Developers have found a new deceitful way to mine cryptocurriences via RawGit. RawGit is a web app that acts as a caching proxy for GitHub files. It is an unofficial Github service that is used to serve requested files from GitHub repositories to externally hosted CDN.

RawGit forwards user requests to GitHub, caches the responses, and relays them to your browser. The caching layer ensures that that GitHub has minimal load and provides quick and easy access to files directly from GitHub repository.

How is RawGit CDN used to spread Cryptocurrency mining malware?

In recent cryptojacking operation Cybercriminals upload Cryptocurrency mining malware script on GitHub account named jdobt and then cached the raw file using RawGit. They then left the GitHub attacked by deleting the original account to remove evidences.

The malicious code was then embedded on hacked sites using RawGit URL, a domain that is usually considered to be authentic and hence not susceptible to additional security software scans.

Moreover, RawGit URLs with a reference to these malicious files existed even after being removed from GitHub, making it a preferable choice over direct links to GitHub.

The technique, cleverly planned to abuse RawGit URLs – is a service known only to web developers who use this service for personal testing or for sharing temporary demos with few people during development.

RawGit’s Abuse ends in vain 

GitHub CDN Deleted

The attempt to abuse RawGit turns out to be a huge fail as:

  1. The malicious Crypto-Loot script on hacked sites flunked proper execution and hence failed to pocket any revenue to the operators.
  2. RawGit’s security team acted promptly and removed the malicious cached URL hastily after it was reported.

Group behind the campaign found it clever to keep the malicious scripts online even after deleting them from GitHub. However, Rawgit’s quick response purged the malicious URL within hours after being reported and the URL now returns ‘403 error’.

Hits: 253

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866