Researchers from Cisco’s Talos security team have identified a sophisticated malware-as-a-service (MaaS) operation that exploited public GitHub accounts to distribute various types of malicious software to targeted entities. This innovative distribution method capitalized on GitHub’s widespread acceptance in enterprise environments, where many organizations rely on the platform for software development. Following the discovery, GitHub promptly removed the three accounts associated with the malicious activities.
The Talos team noted that GitHub serves not only as a reliable file hosting solution but also as a potential means of circumventing web filtering measures. Many organizations configure their security systems to allow access to GitHub while restricting other sites, which can make it challenging to detect malicious downloads that appear similar to regular web traffic. This presents a significant risk, especially for businesses with active software development teams that require GitHub access.
The campaign, which has reportedly been active since February, utilized a known malware loader referred to as Emmenhtal or PeakLight. Research from both Palo Alto Networks and Ukraine’s major state cyber agency documented Emmenhtal’s use in previous attacks that targeted Ukrainian organizations through compromised emails. In this latest MaaS operation, Talos discovered that the same Emmenhtal variant was disseminated via GitHub instead of email.
A noteworthy distinction in this campaign was the type of final payload delivered. While the previous operations against Ukrainian entities resulted in the installation of SmokeLoader, this campaign deployed Amadey—a separate malware platform recognized for its role in botnet creation. First identified in 2018, Amadey’s primary function involves gathering system information from infected devices and subsequently downloading customized secondary payloads tailored for specific operational goals.
As businesses consider the implications of such attacks, understanding the tactics used in this operation is essential. Techniques reflecting the MITRE ATT&CK framework include initial access through file hosting platforms like GitHub, and the potential for persistence and privilege escalation once the malware is executed on victim systems. The stealthiness of the operation, leveraging trusted platforms, exemplifies the evolving threat landscape businesses face today.
Organizations must remain vigilant by implementing appropriate security measures, including advanced intrusion detection systems capable of identifying anomalous behavior associated with malware downloads. This incident underscores the importance of continuously monitoring and adapting cybersecurity strategies to address emerging threats in an increasingly complex digital environment.
