Malware installs a malicious Chrome extension that exploits an old version of AdBlock.
New research from Avast Threat Labs shows that cybercriminals are aggressively uploading cryptocurrency mining malware to leading software development platform GitHub.
The culprits are forking other projects, (producing a copy of someone else’s project), to use it as a starting point and subsequently push a new commit with the malware to the project.
Venezuela, Indonesia, Egypt, India and Pakistan are the top 10 countries targeted.
The cybercriminals behind the malware are hiding malicious executables in the directory structure of the forked projects. People are tricked into downloading the malware through phishing ads shown on online gaming and adult websites, warning users that their Flash Player is outdated, for example, as well as through a fake adult content gaming site.
As the researchers note, with a soupçon of sarcasm: “Hosting malware on GitHub is unusual, but we have to admit, we see some of its benefits. The malware is hosted for free, on a reliable platform with unlimited bandwidth. The version history is available for malware researchers, like us, to view and on top of that, we can see the malware in real-time. Thank you very much!”
The malware incorporates a Monero miner that is also hosted on GitHub. In addition to mining, the malware also installs a malicious Chrome extension that exploits an old version of the AdBlock Chrome extension. The malicious script from the extension injects ads into victims’ Google and Yahoo search results, to make money from clicks
The researchers conclude: “The malware is still live and being hosted on GitHub. We are working together with GitHub, supplying them with new repositories containing the malware, which GitHub is removing. We have reached out to Google, notifying them of the extension. At the time of publishing this post, the extension has not been blocked by Google.”
They added: “We aren’t sure how much the cybercriminals behind this campaign have earned through the malicious extension and the mining malware. We tried looking up their Monero account balance, but sadly, Monero said ‘no!’”…