Phishing campaign abuses GitHub notifications to get users install malware themselves
Take action: If you receive Notification from GitHub, make sure it's legitimate by checking the content. If you aren't expecting a notification, then be very suspicious of it. Even if it looks legitimate, be very careful about clicking on any links that are not directly opening github web interface, like third party sites or sites asking you to grant them permissions to your GitHub accounts/repositories. Finally - NEVER COMPLY with a site that says Open Run command and paste stuff and press enter. It's just asking you to install malware yourself.
Learn More
An active phishing campaign is exploiting GitHub repository notifications to deliver malware to unsuspecting users who either contribute to or follow open-source projects.
This campaign exploits GitHub's "Issues" feature, which allows users to report bugs or vulnerabilities in projects. Each time a malicious user submits a new issue, GitHub’s legitimate servers send email alerts to the repository’s contributors and subscribers. These emails, while coming from official sources, direct users to the malicious domain.
The threat actors create fake "issues" on project repositories, falsely claiming that there is a security vulnerability in the project. If they mention a user in the message, or the users are following/contributing to the project, GitHub will send a notification with the issue content from email address "notifications@github.com" adding credibility to the message.
The message directs users to a fake domain, "github-scanner[.]com," which is not associated with GitHub. This counterfeit site is designed to trick users into downloading Windows malware.
Attack Mechanism:
-
Fake GitHub Issues: Threat actors open issues on popular GitHub repositories, claiming that the project contains a security vulnerability. Contributors and subscribers to these repositories receive legitimate email notifications from GitHub, making the phishing attempt seem authentic.
-
Email Notifications: The phishing messages are sent from GitHub’s official address (notifications@github.com) because to GitHub they are legitimate notifications of an issue in a repository. The faked notificatrions ask users to visit "github-scanner[.]com" to address the alleged issue. This email includes the signature, "Best regards, GitHub Security Team," to further add legitimacy.
-
Malicious Website: When users visit the site, they are presented with a fake CAPTCHA asking to click on a button that triggers malicious JavaScript code. This code loads a command in the computer clipboard, and asks users to
-
Press Windows button+R (execute Windows Run) command.
-
Press Ctrl-V (paste the command loaded into clipboard via the malicious JavaScript)
-
Press Enter - executing the command.
-
-
If the user complies with the instructions, the command downloads and executes a malicious file, 'l6E.exe,' disguised as "SysSetup.exe."
-
Malware Delivery: The 'l6E.exe' file, identified as a trojan, includes anti-detection mechanisms and persistence capabilities. Once installed, it attempts to connect to various suspicious domains, most of which were already down at the time of discovery:
- eemmbryequo.shop
- keennylrwmqlw.shop
- licenseodqwmqn.shop
- reggwardssdqw.shop
- relaxatinownio.shop
- tendencctywop.shop
- tesecuuweqo.shop
- tryyudjasudqo.shop
Users receiving such alerts should avoid following links or instructions in the email without verifying the issue directly within GitHub's platform. Any suspicious "issues" should be reported to GitHub for further investigation.
