|Open Source Hit By Octopus Scanner Malware|
|Written by Kay Ewbank|
|Tuesday, 09 June 2020|
An investigation by GitHub Security Labs has found malware within 26 open source code repositories based on Apache NetBeans. The GitHub team was acting on a tip off from a security researcher that GitHub-hosted repositories that were unintentionally actively serving malware.
The GitHub team discovered that the Octopus Scanner malware had been designed to enumerate and backdoor NetBeans projects, and to use the build process and its resulting artifacts to spread itself.
Apache has said that the initial point of infection is undetermined and all activity with the malware has been shut down. The malware relied on project templates generated by Apache NetBeans using an older customized Apache Ant-based build system that has been in limited use since 2006. This does not impact users of other build systems like Apache Maven or Gradle or even most Apache Ant users.
The way the malware works is that when a developer downloads a project from an infected repository, Octopus Scanner is activated and scans the developer’s computer for the presence of NetBeans. If NetBeans is present, an initial-stage dropper is installed. From that point onwards, whenever a project was built, the JAR files got infected with the dropper. When executed, the dropper spawns a Remote Administration Tool (RAT), which connects to a set of C2 servers. One bright spot is that the malware C2 servers didn't seem to be active at the time of analysis,
The GitHub security team says that while the NetBeans malware has been identified, similar malware could also have been implemented for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed. They estimate that the malware could have been present since 2018.
The GitHub team concluded that the malware was particularly dangerous as the primary-infected users are developers, so the access that is gained is of high interest to attackers since developers generally have access to additional projects, production environments, database passwords, and other critical assets.
or email your comment to: firstname.lastname@example.org