Malware-as-a-service caught using GitHub to distribute its payloads

A recent investigation by Cisco’s Talos security team has revealed a malware-as-a-service (MaaS) operator leveraging public GitHub accounts to disseminate various forms of harmful software. This tactic utilized GitHub’s reputation as a trusted platform, often allowed within enterprise networks that depend on the code repository for software development. Following the alert from Talos, GitHub promptly removed the three accounts associated with the malicious payloads. According to researchers Chris Neal and Craig Jackson, the straightforward file hosting capabilities of GitHub can enable malware distribution while potentially evading web filtering systems that fail to block the GitHub domain. They noted, "While some organizations can restrict GitHub access to mitigate the risks of open-source offensive tools and malware, many development teams require GitHub access, making it challenging to distinguish between legitimate traffic and malicious downloads." The ongoing campaign, identified by Talos since February, has been utilizing a previously recognized malware loader known as Emmenhtal, also referred to as PeakLight. This loader had also been documented by Palo Alto Networks and Ukraine’s major state cyber agency, SSSCIP, which highlighted its use in campaigns that targeted Ukrainian entities via malicious emails. In this recent MaaS operation, Talos discovered the same variant of Emmenhtal, but the method of distribution through GitHub marked a significant shift. Whereas the earlier Ukrainian-focused operation deployed a malicious backdoor called SmokeLoader, the GitHub distribution directed users to install Amadey, another known malware platform. Amadey, which first emerged in 2018 for botnet assembly, primarily serves to gather system information from compromised devices and download tailored secondary payloads designed for specific campaign objectives.