Researchers from Cisco’s Talos security team have uncovered a sophisticated malware-as-a-service (MaaS) operation that has been using public GitHub accounts as a platform for distributing malicious software. This alarming revelation highlights the vulnerabilities that exist within prevalent software development tools and the potential threats they pose to enterprise environments.
The utilization of GitHub provided an easily accessible and reliable channel for malware distribution, given that many organizations rely on the code repository for their software development needs. Following a tip-off from Talos, GitHub swiftly removed the three accounts responsible for hosting the malicious payloads. As noted by Talos researchers Chris Neal and Craig Jackson, the ability to download files from a GitHub repository may circumvent web filtering protocols that are not specifically configured to block the site.
This MaaS campaign has been ongoing since February and notably employs a previously known malware loader identified as Emmenhtal, which has been linked to attacks against Ukrainian entities. Previous research by Palo Alto Networks and Ukraine’s state cyber agency SSSCIP documented the loader’s use in separate campaigns involving malicious emails. In contrast to those past operations, this campaign leverages GitHub for distribution.
A significant distinction between the previous incidents involving Emmenhtal and the current campaign is the final payload in use. While the earlier attacks on Ukrainian entities aimed to deploy a malicious backdoor known as SmokeLoader, the present operation installs Amadey, a malware platform that has existed since 2018. Amadey’s primary function relates to collecting system information from infected devices and delivering customized secondary payloads, which vary based on specific campaign objectives.