Open source developers who published their code on free source-code hosting website GitHub have been targeted by malware that can steal passwords, download sensitive files, take screenshots of important information and even has the ability to self-destruct.
The malware, dubbed Dimnie Trojan, has been around since 2014, according to Palo Alto Networks researchers. They say that during its lifespan, it appears to have undergone few changes, but has largely flown under the radar until recently because it had focused on Russian targets.
Palo Alto Networks first became aware of reports of open-source developers receiving malicious emails in mid-January, when several owners of Github repositories received phishing e-mails. The emails included requests for help with development projects, and offers of payment for custom programming jobs which aimed at enticing developers to download attachments.
The emails had .gz (gzipped) attachments that contained Word documents with malicious macro code attached. The file uses PowerShell commands to download and execute payloads.
Once executed, the PowerShell script reaches out to a remote server and downloads the malware program known as Dimnie.
The software gives attackers a range of capabilities that it can tailor depending on its target. This includes keylogging, screenshotting, interacting with smartcards and extracting data from a computer. There's also a self-destruct module that removes all files from the system drive to ensure that there is no trace of the malware if someone goes looking for it.
It goes unnoticed by Windows because of additional unnecessary characters in its code. Security software is tricked into thinking the threat is no longer an issue through a number of methods including the ability to capture data using web requests that appear to be sent to Google-owned domains. Instead, the information is sent to an address controlled by the attackers.
Data stolen is encrypted and appended to image headers during transit. They are never written to the hard drive of the infected computer, instead Dimnie loads the code directly in to the memory.
The researchers did not suggest who could be behind the campaign or the motivation of targeting open source developers. However, Tod Beardsley, research director at Rapid7, suggested that open source developers were an attractive target for malware because they work on libraries and utilities that end up on millions of devices worldwide.
"It's a great reminder that developers who are publishing code, as a class, do need to stay extra vigilant when handling binaries from unknown sources," he said.
But he warned that the vigilance might be at odds with the typical helpfulness that's common to many open source communities.
"While it might be uncomfortable to be less helpful to strangers, developers need to protect their users as well as themselves from these kinds of social engineering attacks," he said.
He added that the most obvious ‘red flag' with the phishing emails was the gzipped Microsoft Word document as Microsoft Word users will rarely, if ever, use gzip as it's much more of a Linux tool used for compression.
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons