AI Security AI安全 15h ago Updated 11h ago 更新于 11小时前 42

Network of 200 GitHub Repositories Used for Malware Infection 200个GitHub仓库网络被用于恶意软件感染

Threat actor "Operation Muck and Load" utilized over 200 GitHub repositories to distribute Windows malware via a deceptive Go module. The malicious module masquerades as a DNS scanning tool, using hidden PowerShell commands to fetch resolvers from public dead drops like Pastebin and YouTube. The attack chain results in the deployment of various threats, including RATs (AsyncRAT, Quasar), infostealers (Vidar), and cryptominers (XMRig). The actor employed automated GitHub Actions workflows to gene 安全公司Socket披露了名为“Operation Muck and Load”的大规模供应链攻击活动,涉及222个诱饵仓库和190个GitHub账户。 攻击者利用伪装成DNS扫描工具的Go模块,通过隐藏PowerShell代码从公共死投点获取并执行Windows恶意软件。 攻击者使用GitHub Actions工作流频繁发布伪版本以规避检测,并利用Pastebin、YouTube等多个公共平台作为C2死投点。 最终载荷包括AsyncRAT、Quasar RAT、Vidar信息窃取器及XMRig加密货币挖矿程序等多种恶意软件。

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • Threat actor "Operation Muck and Load" utilized over 200 GitHub repositories to distribute Windows malware via a deceptive Go module.
  • The malicious module masquerades as a DNS scanning tool, using hidden PowerShell commands to fetch resolvers from public dead drops like Pastebin and YouTube.
  • The attack chain results in the deployment of various threats, including RATs (AsyncRAT, Quasar), infostealers (Vidar), and cryptominers (XMRig).
  • The actor employed automated GitHub Actions workflows to generate hundreds of malicious package versions, evading detection through rapid iteration.

Why It Matters

This incident highlights the growing sophistication of supply chain attacks targeting open-source ecosystems, specifically leveraging the trust developers place in package managers like Go modules. It demonstrates how threat actors exploit public platforms not just for hosting, but as active components in their delivery infrastructure, bypassing traditional security controls by hiding malicious logic within legitimate-looking code structures.

Technical Details

  • Deceptive Packaging: The core vector is a Go module disguised as dnsub, a legitimate DNS/subdomain scanning tool, which serves as a lure to trick developers into importing malicious dependencies.
  • Obfuscation Techniques: Malicious PowerShell commands are embedded in the Go code using excessive horizontal whitespace to evade static analysis and visual inspection, running before any intended scanning logic.
  • Resilient Delivery: The PowerShell script fetches encrypted payload metadata from diverse public dead drops (Pastebin, Rlim, Telegram, Google Docs), allowing the attacker to rotate or update payloads without changing the initial malware binary.
  • Automated Distribution: Over 1,200 versions of the package were published since January 24, 2026, with 700 being malicious, generated via automated GitHub Actions workflows creating timestamp-based pseudo-versions to maintain persistence and evade takedowns.
  • Final Payloads: The execution chain culminates in the deployment of AsyncRAT, Quasar RAT, Remcos-style RATs, Vidar infostealer, and Monero cryptominers.

Industry Insight

  • Enhanced Dependency Auditing: Organizations must implement stricter dependency scanning tools that can detect obfuscated code patterns and unusual behavior in third-party libraries, rather than relying solely on reputation or signature-based checks.
  • Supply Chain Vigilance: Developers should verify the integrity of all imported packages, especially those with high version turnover or suspicious commit histories, and avoid blindly trusting popular but potentially compromised repositories.
  • Platform Security Collaboration: Cloud providers and code hosting platforms need to improve detection mechanisms for automated abuse workflows and dead-drop integration, as these tactics are becoming standard for resilient malware distribution.

TL;DR

  • 安全公司Socket披露了名为“Operation Muck and Load”的大规模供应链攻击活动,涉及222个诱饵仓库和190个GitHub账户。
  • 攻击者利用伪装成DNS扫描工具的Go模块,通过隐藏PowerShell代码从公共死投点获取并执行Windows恶意软件。
  • 攻击者使用GitHub Actions工作流频繁发布伪版本以规避检测,并利用Pastebin、YouTube等多个公共平台作为C2死投点。
  • 最终载荷包括AsyncRAT、Quasar RAT、Vidar信息窃取器及XMRig加密货币挖矿程序等多种恶意软件。

为什么值得看

该案例揭示了开源软件供应链攻击的新趋势,即攻击者利用开发者对开源工具的信任,通过高频发布伪版本和隐蔽代码注入来长期维持感染链。对于依赖第三方库的企业而言,这强调了实施严格的依赖项审计、监控异常构建行为以及采用零信任架构的必要性。

技术解析

  • 攻击载体与伪装:攻击者在222个GitHub仓库中发布了伪装成dnsub(DNS子域扫描工具)的Go模块。自2026年1月24日起,发布了超过1,200个版本,其中700个为恶意版本,利用GitHub Actions生成时间戳提交以创建Go伪版本,混淆正常发布流程。
  • 隐蔽执行机制:Go模块中包含一条被水平空白字符隐藏的PowerShell命令,在扫描逻辑之前运行。该命令旨在绕过脚本执行策略限制,并从公共死投点(Dead Drops)拉取解析器脚本。
  • 多阶段载荷投递:拉取的脚本充当解析器、下载器和启动器,负责定位加密元数据、解密URL、检索密码保护的存档并执行其内容。攻击者不依赖单一硬编码URL,而是利用Pastebin、Rlim、YouTube、Instagram、Telegram、Google Docs和GitCode等多个公共平台托管镜像材料,以提高操作弹性。
  • 最终恶意载荷:确认的恶意文件包括Trojan加载器、Vidar信息窃取器、间谍软件以及XMRig/BitMiner相关的门罗币(Monero)加密货币挖矿程序。

行业启示

  • 供应链防御升级:企业应加强对开源依赖项的版本历史和构建日志的监控,识别异常的频繁发布或伪版本生成行为,特别是来自非官方维护者的更新。
  • 代码审查自动化:静态代码分析工具需增强对隐藏字符、异常PowerShell调用及外部网络请求的检测能力,以发现此类经过精心伪装的恶意代码注入。
  • 多平台威胁情报整合:鉴于攻击者广泛利用各类公共平台(如社交媒体、文档服务)作为C2基础设施,安全团队应将威胁情报源扩展到这些平台,建立更全面的死投点黑名单和监控机制。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Open Source 开源