Security researchers at McAfee have discovered a new sneaky way hackers and cybercriminals spread malware, Bleeping Computer reports. The files are hidden behind apparently legitimate links to the developer site Github, and not only that: The links appear to belong to, for example, Microsoft.
The malware McAfee has detected is written in the LUA programming language and its function is to load other malicious code. The files were found at the following links which Github has now deleted:
https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
It’s not about domain trixing, but the links are really under github.com/microsoft, where Microsoft gathers all its various open source projects. The trick is how they got there. The hackers have taken advantage of the ability to upload comments to Github’s system to track bugs, new features, and more. Even if the comment is never published, a direct link to the uploaded file is created.
Such a link is nowhere to be seen on Github.com, but anyone who knows it can still use it to download the file in question. Hiding a malware installer under a legitimate and well-known developer’s Github account, such as Microsoft, increases the risk that an unsuspecting recipient will download and run the malicious code.
Bleeping Computer points out that the examples discovered so far are relatively tame. For example, malware creators could upload one under Nvidia’s driver installer project, github.com/nvidia/nvidia-installer, and give the file a name that looks like an Nvidia driver update.
