Story image

Malware campaign targets open source developers on GitHub

31 Mar 2017

Be on your guard if you’re a developer who uses GitHub – someone could be trying to infect your computer with malware.

Reports have emerged that malicious hackers are attempting to infect open source programmers’ computers with a Trojan horse, by launching a targeted malware campaign via email against GitHub developers.

The attack, which was first noticed in January, typically arrives in the form of a flattering email offering programming work:

Hey. I found your software is online. Can you write the code for my project? Terms of reference attached below. The price shall discuss, if you can make. Answer please.

Other, more recent sightings, have seen the attackers be a little less curt in their approach:

Hello,

My name is Adam Buchbinder, I saw your GitHub repo and i’m pretty amazed. The point is that i have an open position in my company and looks like you are a good fit.

Please take a look into attachment to find details about company and job. Dont hesitate to contact me directly via email highlighted in the document below.

Thanks and regards, Adam.

Hungry programmers, keen to keep themselves in a steady supply of pizza and Jolt cola, and flattered by the praise, may find it only too tempting to click on the poisoned attachment in the belief that they are being offered some genuine work.

The attached file, which is in an archive format, has been seen to contain a boobytrapped Word document designed to install further malicious code onto its victim’s PC.

The malware, called Dimnie by Palo Alto researchers, is detected by ESET security products as VBA/TrojanDownloader.Agent.CLB.

If it successfully manages to infect a target’s computer, the Trojan can spy upon the PC’s activity – logging keystrokes, taking screenshots, and stealing information. Someone unknown is now spying on the activities of a programmer working on open source software, potentially stealing their passwords and perhaps meddling with the open source code that is being published online.

What makes this latest version of the Dimnie Trojan more sophisticated is its sophisticated methods of camouflaging its behaviour, in an attempt to avoid its suspicious data exfiltration being picked up by security products which might be running on the coder’s network.

In a final flourish of panache, the Trojan is even capable of self-destructing, destroying evidence that it was ever present on the developer’s PC.

Speculation is sure to mount as to the motivations of whoever is targeting developers who use GitHub, but it seems likely that the masterminds of this attack are doing so to gather information and perhaps steal credentials that could help them access other businesses for whom the developers may be working. Furthermore, we shouldn’t dismiss the possibility that the attackers are interested in secretly introducing weaknesses into coding projects under the guise of a trusted, legitimate programmer.

These targeted attacks are a healthy reminder to all computer users – however technical – that they should always think twice about clicking on unsolicited attachments.

Article by Graham Cluley, independent security analyst, welivesecurity.

Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
SAS partners with NVIDIA on deep learning and computer vision
“By partnering with NVIDIA, we combine our strengths to augment human intelligence and realise the true potential of AI.” 
Why businesses must embrace automation to ensure success
“For many younger workers, the traditional view of a steady job at one company, perhaps for life, simply doesn’t reflect reality."
Dropbox invests in hosting data inside Australia
Global collaboration platform Dropbox has announced it will now host Australian customer files onshore to support its growing base in the country.
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
How Cognata and NVIDIA enable autonomous vehicle simulation
“Cognata and NVIDIA are creating a robust solution that will efficiently and safely accelerate autonomous vehicles’ market entry."