OPEN SOURCE DEVELOPERS who have published their code on GitHub are being targeted by malware that can steal passwords, download sensitive files, and even has the ability to self-destruct.
The malware, dubbed Dimnie Trojan, has been around since 2014, according to Palo Alto Networks researchers. They say that during its lifespan is has undergone few changes, but has largely flown under the radar until recently because it had focused on Russian targets.
Palo Alto Networks first became aware of reports of open ource developers receiving malicious emails in mid-January. These dodgy emails included requests for help with development projects and offers of payment for custom programming jobs which aimed at enticing developers to download attachments.
The emails had .gz (gzipped) attachments that contained Word documents with malicious macro code attached. The file uses PowerShell commands to download and execute payloads.
Once executed, the PowerShell script reaches out to a remote server and downloads the malware program known as Dimnie.
The software gives attackers a range of capabilities that it can tailor depending on its target. This includes keylogging, screenshotting, interacting with smart cards and extracting data from a computer. There's also a self-destruct module that removes all files from the system drive to ensure that there is no trace of the malware if someone goes looking for it.
It goes unnoticed by Windows because of additional unnecessary characters in its code. Security software is tricked into thinking the threat is no longer an issue through a number of methods including the ability to capture data using web requests that appear to be sent to Google-owned domains. Instead, the information is sent to an address controlled by the attackers.
Data stolen is encrypted and appended to image headers during transit. They are never written to the hard drive of the infected computer, and instead Dimnie loads the code directly into the memory.
The researchers did not suggest who could be behind the campaign or the motivation of targeting open source developers. However, Tod Beardsley, research director at Rapid7, suggested that open source developers were an attractive target for malware because they work on libraries and utilities that end up on millions of devices worldwide.
"It's a great reminder that developers who are publishing code, as a class, do need to stay extra vigilant when handling binaries from unknown sources," he said.
But he warned that the vigilance might be at odds with the typical helpfulness that's common to many open source communities.
"While it might be uncomfortable to be less helpful to strangers, developers need to protect their users as well as themselves from these kinds of social engineering attacks," he said.
He added that the most obvious 'red flag' with the phishing emails was the gzipped Microsoft Word document as Microsoft Word users will rarely, if ever, use gzip as it's much more of a Linux tool used for compression. µ
Linux hits the DeX
The Net' is closing in
Firm was quick to CClean up after the attack
Sorry (not Siri)