GitHub abused to distribute payloads on behalf of malware-as-a-service
1 min read
Summary
Researchers from Cisco’s Talos have discovered a malware-as-a-service (MaaS) operator using legitimate public GitHub accounts as a channel for distributing malware to target organisations that regularly use the code repository for legitimate purposes, thus making the malicious downloads difficult to spot among normal web traffic.
The campaign used two known malware loaders, namely Emmenhtal and PeakLight, to deliver a final payload of malware called Amadey.
This collects system information from infected devices and downloads further, customised payloads based on the target and the campaign’s specific purposes.
GitHub has since removed the three accounts that hosted the malicious payloads.
This discovery reiterates the importance of cybersecurity education for companies and software developers, particularly when using public platforms such as GitHub.
