GitHub Gone Rogue: Trojanized Tools Target Developers and Cybercriminals Alike

Hot Take:

Who knew open source code could come with a side of malware fries? In a plot twist worthy of a Hollywood thriller, hackers are now targeting the very people who thought they were safe: red teams, developers, and even gamers. With names like Water Curse and Banana Squad, these cyber bandits are adding a fruity twist to the world of cyber espionage. Keep your eyes peeled and your GitHub accounts locked!

Key Points:

• Water Curse and Banana Squad are targeting red teams, developers, and gamers with trojanized open source tools.
• 76 GitHub accounts were found to have injected malicious payloads into build scripts and project files.
• Payloads aim to steal credentials, browser data, and session tokens.
• Tools used include C#, JavaScript, PowerShell, and VBS scripts, among others.
• Similar campaigns have been identified by Sophos and Checkmarx, indicating a larger trend of Distribution-as-a-Service (DaaS) operations.

GitHub: The New Pirate Bay?

In a world where open source is king, it’s no surprise that hackers are setting up their own little kingdoms. Trend Micro and ReversingLabs have uncovered two campaigns that are taking advantage of developers’ trust in open source tools. With names like Water Curse and Banana Squad, you might think these threat actors were after your lunch money. Instead, they’re targeting your credentials, browser data, and session tokens. The campaigns, which began in early 2023, have used GitHub as their playground, creating repositories that look legit but pack a malicious punch.

Red Teams, Developers, and Gamers, Oh My!

In a plot twist that’s got cybersecurity experts scratching their heads, the campaigns aren’t targeting your average Joe. No, these bad actors have their sights set on red teams, penetration testers, developers, and gamers. It’s like they’ve read the cybersecurity textbook and decided to go after the students. According to Trend Micro, Water Curse uses a hybrid strategy that blends supply chain compromise with opportunistic exploitation. So if you’re a developer who’s also a gamer, you might want to double-check those GitHub repositories before you download your next project.

The Tools of the Trade

In their quest to steal your data, these cyber pirates are wielding a digital arsenal that would make any script kiddie drool. Malicious payloads are hidden in Visual Studio project configuration files, and the tools of choice include C#, JavaScript, PowerShell, and VBS scripts. It’s like a buffet of coding languages, all designed to give the threat actor persistent remote access to compromised systems. And let’s not forget the compiled PE binaries—because what’s a hacking campaign without a little binary action?

Banana Squad: One Repository to Rule Them All

While Water Curse is busy casting its spell, another threat actor is making waves: Banana Squad. ReversingLabs discovered more than 67 GitHub repositories that promised Python-based hacking tools but delivered trojanized look-alikes instead. Each account had only one repository, making it clear that malware distribution was the name of the game. It’s like a one-hit-wonder, but instead of catchy tunes, you’re getting a nasty surprise. The campaign began in June and has ties to similar activity flagged by Checkmarx, indicating a trend that’s more popular than avocado toast.

History Repeats Itself

If you think this sounds familiar, you’re not wrong. Both campaigns are reminiscent of a larger Distribution-as-a-Service operation uncovered by Sophos. Since 2022, thousands of GitHub accounts have been used to distribute malware embedded in open source tools. It’s like the cyber equivalent of a BOGO sale, but instead of getting a freebie, you get a virus. So the next time you’re tempted to download that shiny new tool from GitHub, remember: if it looks too good to be true, it probably is.