GitHub malware that infects projects in the NetBeans IDE and uses the build process to spread itself. The investigation revealed that the malware in question, which was given the name Octopus Scanner, was used to covertly integrate backdoors into 26 open source projects with repositories on GitHub. The first traces of Octopus Scanner are dated August 2018.
Malicious software can detect NetBeans project files and add its code to project files and built JAR files. The algorithm of work is reduced to finding the NetBeans directory with the user's projects, enumeration of all projects in this directory, copying the malicious script to and making changes to the file to call this script every time the project is built. When assembled, a copy of the malware is included in the resulting JAR files, which become a source for further distribution. For example, malicious files were placed in the repositories of the above 26 public projects, as well as various other projects when publishing builds of new releases.
When another user downloaded and launched the affected JAR file, another cycle of searching for NetBeans and injecting malicious code began on his system, which corresponds to the model of self-propagating computer viruses. In addition to the functionality for self-propagation, the malicious code also includes backdoor functions to provide remote access to the system. At the time of the analysis of the incident, the servers controlling the backdoor (C&C) were not active.
In total, when studying the affected projects, 4 variants of infection were identified. In one of the options, to activate the backdoor in Linux, an autorun file β$HOME/.config/autostart/octo.desktopβ was created, and in Windows, tasks were launched via schtasks. Other generated files include:
- $HOME/.local/share/bbauto
- $HOME/.config/autostart/none.desktop
- $HOME/.config/autostart/.desktop
- $HOME/.local/share/Main.class
- $HOME/Library/LaunchAgents/AutoUpdater.dat
- $HOME/Library/LaunchAgents/AutoUpdater.plist
- $HOME/Library/LaunchAgents/SoftwareSync.plist
- $HOME/Library/LaunchAgents/Main.class
The backdoor could be used to add bookmarks to the code developed by the developer, leak the code of proprietary systems, steal confidential data and take over accounts. Researchers from GitHub do not rule out that the malicious activity is not limited to NetBeans and there may be other variants of Octopus Scanner that inject themselves into the build process based on Make, MsBuild, Gradle and other systems for their distribution.
The names of the affected projects are not mentioned, but they can be easily through a search in GitHub for the "cache.dat" mask. Among the projects in which traces of malicious activity were found: , , , , , , , , , , , , .
Source: opennet.ru