Wednesday 2 October 11:20 - 11:50, Green room
Jaromir Horejsi & Nitesh Surana (Trend Micro)
Cloud-based remote development environments allow developers to virtually develop code from anywhere and start right from any device with a browser and an internet connection. GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022 during the GitHub Universe online event. This cloud-based IDE allows developers and organizations to customize projects by using configuration-as-code features, easing some previous pain points in project development. Since any GitHub user could create Codespaces, it did not take long for attackers to find ways of abusing this service.
Since June 2023, we have noticed in-the-wild campaigns spreading infostealer malware. We found that GitHub Codespaces was being abused to develop, host and exfiltrate stolen information via webhooks. This is the first time GitHub Codespaces has been abused by cybercriminals to develop infostealing malware.
In this presentation we will introduce Github Codespaces and go through the different features of this service. We then have a look at the malicious campaigns and malware families observed in the wild. One interesting and discussed piece of malware is called DeltaStealer, a family of credential stealers implemented in Rustlang or frameworks like NodeJS. The stealer's source code seems to be a rinse-and-repeat of similar projects shared on GitHub, hence several variants of the malware exist. Some variants of the stealer possess quite unique features – in addition to implementing anti-debug features, credential stealing capabilities for Chromium-based web browsers, cryptocurrency wallets and applications like Discord and Steam, they achieve persistence using a well-known technique of patching Discord ASAR files. The patch lowers the security of the authentication process in Discord, and exfiltrates sensitive user information to a cloud-based webhook.
The infostealers have been developed using cloud-based IDEs and contain interesting artifacts like debug symbols, which in turn reveal information about the developer(s) of the infostealer. The developer(s) behind this family of stealers are also quite active on various social media platforms, where they boast about the capabilities of their infostealers. In the presentation, we will include some of the screenshots shared on social media proving the usage of cloud-based IDEs. We will conclude the presentation with insights on how to hunt for similar threats, and recommendations on the measures one can take against such evolving threats where malware authors leverage cloud services to rapidly develop infostealers.
 |
Jaromir Horejsi Jaromir Horejsi is a senior threat researcher for Trend Micro Research. He specializes in tracking and reverse engineering threats such as APTs, DDoS botnets, banking trojans, click fraud, and ransomware that target both Windows and Linux. His work has been presented at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.
|
 |
Nitesh Surana Nitesh Surana is a senior threat researcher with Trend Micro where he specializes in cloud vulnerability and security research. He was listed in the top 100 MSRC Most Valuable Security Researchers in 2023 for his submissions to Microsoft via the Zero Day Initiative. He has presented at conferences such as Black Hat (USA, Asia), HackInTheBox, HackInParis, Nullcon, c0c0n, Security BSides, NDC Oslo and OWASP/Null Bangalore meetups. Apart from playing with packets and syscalls, he is often to be found attending concerts and writing/playing music. |
Back to VB2024 conference page