Be careful the miner malware installer is on Github

Analysts of Avast Software reported a new method of a hidden distribution of crypto-currency miners. They found a malicious installer, hidden in IT projects on Github.

The detected malicious program is spread exclusively through phishing advertising. It is mostly hosted on adult websites or resources dedicated to computer games. In addition to the banners that are tied to the server with a redirector on Github, the researchers found a portal offering the same malware in disguise of an erotic game.

In order to be infected, nothing needs to be downloaded, just click on the banner that offers offers to update an old version of Adobe Flash Player. If the user agrees to the update, the disguised malware will be downloaded to the computer.

It is noteworthy that, in addition to the crypto miner, the device downloads a malicious extension of Chrome. To activate it, all browser processes are forcibly terminated so that the victim restarts it. Also for some unknown reason, the malware is shutting down Opera and Amigo Free Browsers. After rebooting Chrome, the malicious extension starts to embed advertising into the results of Google and Yahoo search results in the background, as well as tweaking clicks on ad pages, bringing additional revenue to the scammers.

However, the main target for hackers is starting the Monero miner, which is also available on the Github portal. Note that this currency due to its’ high degree of anonymity has already earned the reputation of “the darling of cybercriminals”.

The miner used in this campaign is digitally signed and is designed to ensure that the theft of processor power will be extremely hard to noticed. Hackers deliberately will overload the processor.

Github together with Avast already started work on for the removal of the infected copies of projects. Experts admit that using GitHub to host malicious code is an unusual move, but it has its advantages: malware is stored for free on a reliable resource with unlimited traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *