Just because it’s on GitHub doesn’t mean it’s legitimate.

A financially motivated espionage group is abusing a GitHub repository for C&C (command and control) communications, Trend Micro warned.
Researchers found malware used by Winnti, a group mainly known for targeting the online gaming industry, was connecting to a GitHub account to obtain the exact location of its C&C servers.

The malware looked up an HTML page stored in the GitHub project to obtain the encrypted string containing the IP address and port number for the C&C server, wrote Trend Micro threat researcher Cedric Pernet on the TrendLabs Security Intelligence blog.
It would then connect to that IP address and port to receive further instructions.

As long as the group kept the HTML page updated with the latest location information, the malware would be able to find and connect to the C&C server.To read this article in full or to leave a comment, please click here

Leave a Reply