This week started with the discovery of a threat called Octopus Scanner which has been found in infected GitHub repositories. What we know is that it has been lurking on the cloud platform for several weeks now and it is created by an unknown hacking group. The malware has been discovered by the GitHub security team during an analysis of the hosted projects. The Octopus Scanner is perceived to be a dangerous threat which is programmed to primarily deploy itself via the Apache NetBeans development environment.
The Octopus Scanner Malware Uses GitHub as a Distribution Medium
GitHub as one of the leading repositories for posting software and related projects has been found to host a dangerous malware known as the Octopus Scanner. This virus has been created by an unknown hacking group and has been placed on various repositories. The aim of the criminal groups is to use a tactic based on the principle that developers take advantage of the published code and integrate it in their own projects. In the detected attack campaign the emphasis was on the users of the Apache Netbeans IDE (integrated development environment), one of the most popular tools for the creation of Java applications. The GitHub security team was notified by a security researcher of suspicious code which prompted for an investigation leading to the discovery of the threat.
Many repositories were found to be infiltrated with this code—upon further reviewing the owners were unaware that their code has been modified to include the malware. All of this shows that it is very difficult to track from where the initial infection has happened.
When a repository containing the malware code is loaded into the NetBeans software the virus will be automatically started. The first actions will be related to the mechanism of embedding backdoors into the projects that are opened within the development software. This is done via a component called a dropper — it is designed to load hacker-made code into them. When the compiled output files are copied and started on a given system the contaminated data will start the relevant dropper as part of the start-up sequence. The backdroor code will launch launch several dangerous malware actions:
- Files Infection — The malware code will makes sure that all relevant files will have the virus code copied into them. This is done in order to continue the replication of the threat.
- Persistent Installation –The malware code which will be embedded in the Java projects will ensure that the engine will be started every time the system is started.
- Trojan Horse Infection — The included code will include RAT functionality enabling the remote attackers to have control over the infected computers. This can include files theft and surveillance.
The security analysis uncovered that there are different versions of the Octopus Scanner so far. The different variations are found within the GitHub repositories. All dangerous code will be obfuscated making it harder to detect. It is not known whether or not the hackers will modify the core code in order to deploy Octopus Scanner onto other system components.