Attackers set up rogue GitHub repos with malware posing as zero-day exploits

In an unusual attack campaign, a hacker has been setting up rogue GitHub repositories that claim to host zero-day exploits for popular applications but which instead deliver malware.

The attacker also created fake GitHub and Twitter accounts posing as security researchers and even used real photos of researchers from well-known cybersecurity firms.

“The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware,” researchers from security firm VulnCheck, who found the rogue repositories, said in a report.

“It’s unclear if they have been successful but given that they’ve continued to pursue this avenue of attacks, it seems they believe they will be successful.”

While attacks that target security researchers are not a new development, they are relatively rare and more likely to be the work of advanced persistent threat (APT) groups looking to gain access to sensitive information that researchers have access to.

This was the case with a campaign reported by Google’s Threat Analysis Group in 2021 where a government-backed North Korean entity created a web of fake accounts posing as security researchers on Twitter, Telegram, LinkedIn, and other social media platforms and used them to promote proof-of-concept exploits for existing vulnerabilities that were posted on a blog and in YouTube videos.

How the GitHub fake account campaign works

The fake accounts were used to contact other real researchers and invite them to collaborate. As part of the communication, a Visual Studio project with proof-of-concept exploit code was shared, but this project also included a malicious DLL that deployed malware on the victim’s computer.

Separately, some researchers who visited the blog had their up-to-date systems exploited suggesting the attackers had access to some zero-day exploits.