An investigation by GitHub Security Labs has found malware within 26 open source code repositories based on Apache NetBeans. The GitHub team was acting on a tip off from a security researcher that GitHub-hosted repositories that were unintentionally actively serving malware.

The GitHub team discovered that the Octopus Scanner malware had been designed to enumerate and backdoor NetBeans projects, and to use the build process and its resulting artifacts to spread itself.

Apache has said that the initial point of infection is undetermined and all activity with the malware has been shut down. The malware relied on project templates generated by Apache NetBeans using an older customized Apache Ant-based build system that has been in limited use since 2006. This does not impact users of other build systems like Apache Maven or Gradle or even most Apache Ant users.

The way the malware works is that when a developer downloads a project from an infected repository, Octopus Scanner is activated and scans the developer’s computer for the presence of NetBeans. If NetBeans is present, an initial-stage dropper is installed. From that point onwards, whenever a project was built, the JAR files got infected with the dropper. When executed, the dropper spawns a Remote Administration Tool (RAT), which connects to a set of C2 servers. One bright spot is that the malware C2 servers didn't seem to be active at the time of analysis,

The GitHub security team says that while the NetBeans malware has been identified, similar malware could also have been implemented for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed. They estimate that the malware could have been present since 2018.

The GitHub team concluded that the malware was particularly dangerous as the primary-infected users are developers, so the access that is gained is of high interest to attackers since developers generally have access to additional projects, production environments, database passwords, and other critical assets.

More Information

GitHub Security Report

Apache NetBeans

Related Articles

NetBeans Is A Top-Level Apache Project

GitHub Security Bug Bounty Milestones

Counting Vulnerabilities In Open Source Projects and Programming Languages

RSA Encryption Cracked By Careless Implemenation

NetBeans 10 Improves JDK 11 Support But Drops C/C++ Update: Not Really 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info