GitHub
Malicious software can detect NetBeans project files and add its code to project files and built JAR files. The algorithm of work is reduced to finding the NetBeans directory with the user's projects, enumeration of all projects in this directory, copying the malicious script to
When another user downloaded and launched the affected JAR file, another cycle of searching for NetBeans and injecting malicious code began on his system, which corresponds to the model of self-propagating computer viruses. In addition to the functionality for self-propagation, the malicious code also includes backdoor functions to provide remote access to the system. At the time of the analysis of the incident, the servers controlling the backdoor (C&C) were not active.
In total, when studying the affected projects, 4 variants of infection were identified. In one of the options, to activate the backdoor in Linux, an autorun file β$HOME/.config/autostart/octo.desktopβ was created, and in Windows, tasks were launched via schtasks. Other generated files include:
- $HOME/.local/share/bbauto
- $HOME/.config/autostart/none.desktop
- $HOME/.config/autostart/.desktop
- $HOME/.local/share/Main.class
- $HOME/Library/LaunchAgents/AutoUpdater.dat
- $HOME/Library/LaunchAgents/AutoUpdater.plist
- $HOME/Library/LaunchAgents/SoftwareSync.plist
- $HOME/Library/LaunchAgents/Main.class
The backdoor could be used to add bookmarks to the code developed by the developer, leak the code of proprietary systems, steal confidential data and take over accounts. Researchers from GitHub do not rule out that the malicious activity is not limited to NetBeans and there may be other variants of Octopus Scanner that inject themselves into the build process based on Make, MsBuild, Gradle and other systems for their distribution.
The names of the affected projects are not mentioned, but they can be easily
Source: opennet.ru