Cybercriminals spotted hiding cryptocurrency mining malware in forked projects on GitHub

Those behind the campaign are tailoring the Monero cryptojacking malware to use a limited amount of CPU power in order to evade infections being detected.
Written by Danny Palmer, Senior Writer

Video: Ad network hijacks browsers for cryptojacking

Cybercriminals have found another way to spread their malware: uploading cryptocurrency mining code to GitHub, according to security researchers at security company Avast.

Developers 'fork' projects on GitHub, which means making a copy of someone else's project in order to build on it. In this case, the cybercriminals fork random projects and then hide malicious executables in the directory structure of these new projects, the researchers said.

Users don't need to download the malicious executables directly from GitHub. Instead, the malware is spread via a phishing ad campaign. When a user visits a site that displays the phishing ads and clicks on one, the executable downloads, the researchers said.

If the user clicks on one of these adverts, they're told their Flash Player is out of date and provided with a fake update which, if downloaded, will infect them with the malware. This update is provided via a redirect to GitHub, where the code is hosted, hidden in forked projects.

While hosting malware on GitHub is described by researchers as "unusual", they point to it being beneficial to the attackers because it offers unlimited bandwidth.

Download now: Auditing and logging policy

In addition to this, the malware also installs a malicious Chrome extension which injects and clicks on adverts in the background, allowing attackers to extract even more profit from the cryptojacking campaign.

The malware itself is primarily designed for mining Monero, an increasingly popular cryptocurrency for criminals as it's both easy to mine and offers a range of privacy benefits.

While the subtle nature of cryptocurrency mining means its presence often goes undetected -- because most users aren't going to link their fans running loudly to an infection -- those behind this campaign have made an additional effort to remain undetected by coding the malware so it only uses a maximum of half the CPU.

Ultimately, this allows the victim to continue to be able to use their computer as normal and avoids spinning up the fans to allow the criminal activity to stay undetected and mine Monero over a longer period of time.

"When people's PCs lag and run sluggish, they tend to investigate why their computer is using all the CPU power, searching for the apps that using up the most CPU and memory," Michal Salat, director of threat intelligence at Avast, told ZDNet.

"By using less CPU power, the cybercriminals keep a low profile and maximize their profit by going unnoticed and thus prolonging the time they are able to exploit the infected hardware for more money."

While GitHub has actively been working with Avast to remove the malicious forked projects containing the code, those behind this malware campaign are extremely persistent and are repeatedly uploading it to the repository.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

"GitHub has been taking down the malware as they discover it and we are working with them to provide them with the latest malicious repositories to ensure take down before any one is able to download the malicious code," said Salat.

A GitHub spokesperson told ZDNet: "We don't actively moderate the content that people share on GitHub, but when we receive reports of content that may be in violation of our Terms of Service, a team investigates the content and surrounding facts thoroughly and responds as appropriate. In some cases that may mean disabling content."

In order to avoid falling victim to this type of attack, researchers recommend that GitHub users only use official repositories or trusted forks as they're less likely to be compromised.

Recent and related coverage

UK government websites, ICO hijacked by cryptocurrency mining malware

US and Australian government domains were also affected by the bold cryptojacking scheme.

Tesla cloud systems exploited by hackers to mine cryptocurrency

Updated: Researchers have discovered that Tesla's AWS cloud systems were compromised for the purpose of cryptojacking.

Cryptojacking attack uses leaked EternalBlue NSA exploit to infect servers

RedisWannaMine is a sophisticated attack which targets servers to fraudulently mine cryptocurrency.


Editorial standards