GitHub Comments from Legitimate Repositories Exploited to Deliver Remcos RAT

One of the most interesting findings of our Netskope Threat Labs Report: Insurance 2024 was the discovery that GitHub is the most popular application in terms of malware downloads for this specific vertical, surpassing Microsoft OneDrive, which is usually the undisputed leader of this unwelcome chart.

An interesting confirmation of this peculiar trend of the financial sector comes from security researchers at Cofense, who recently unearthed an interesting campaign, targeting organizations in insurance and finance, unsurprisingly abusing GitHub to deliver malicious content in the form of the Remcos RAT.

This campaign stands out for at least two reasons: not only for the malicious purposes threat actors abused legitimate GitHub repositories of reputable organizations, such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue, but also because they used GitHub comments to deliver the malicious payload. The purpose of the comments function is to enhance collaboration among developers working on the same project, however they can be easily turned into a powerful tool in the hands ofby threat actors:s since they can easily embed malicious content without having to upload it to the source code files of the same repository. And if the repository belongs to a trusted organization, the chances of success are even higher since a user would never imagine they’d be compromised by content hosted in a trusted application instance belonging to a reputable organization.

There are two trends that characterize the exploitation of legitimate services by threat actors. On one hand, they are increasing the spectrum of the exploited cloud applications beyond the usual suspects, but they are also always looking for newer and more clever ways to exploit the consolidated ones, which is undoubtedly an illuminating example.

How Netskope mitigates the risk of legitimate cloud services exploited to deliver 

GitHub is one of the thousands of cloud services where the Netskope Next Gen SWG can provide adaptive access control, threat protection, and data loss prevention with a granularity that is impossible for any other web security technology. GitHub is also among the hundreds of cloud applications for which instance detection is available. So, in cases where these services or similar cloud storage apps are abused to deliver a malicious payload, it is possible to configure a policy for preventing potentially dangerous activities (such as “Download”) from the specific service or the entire category where it belongs (or obviously to block completely the unneeded service). The granular access control can be extended at the level of the single instance for applications like GitHub, Microsoft 365, Google Drive, Dropbox and many more, blocking or limiting risky activities for accounts that are not managed by the organization.

Netskope customers are also protected against malware distributed from the cloud (and the web in general) by Netskope Threat Protection. Netskope Threat Protection scans web and cloud traffic to detect known and unknown threats with a comprehensive set of engines, including signature-based AV, machine learning detectors for executables and Office documents, and sandboxing with patient zero protection. The threat protection capabilities can be further improved through Netskope Cloud Exchange, which provides powerful integrations to leverage investments across users’ security posture through integration with third-party tools, such as threat intelligence feeds, endpoint protection, and email protection technologies.

Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware or the risk of becoming the target of anomalous communications, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.

Stay safe!