Hackers know we’re more likely to fall for their schemes if we’re emotionally compromised. As such, one infamous activities involves giving people false hope and dashing it at the last minute, leaving the victim with nothing but malware. And now, this practice is sweeping through GitHub.
So, if you see a suspicious GitHub link, don’t click it; it’s another trick malware developers are pushing to get you to download malware.
What Is the “Helpful GitHub Link” Threat?
As reported by Bleeping Computer, this threat appears in the comments section of GitHub. Attackers hone in on threads where someone is asking for a fix for a problem, posting a supposed “helpful” file that harbors malware.
In an example posted to /r/malware on Reddit, user u/shdwchn10 found a thread where someone had an issue with a YouTube downloader. In a response to the thread, the malicious agent stated that they had a fix, posting a link to a ZIP archive containing malware. After running the file, the downloader got a warning that someone was trying to log into their account from another location.
What Happens If You Click on a Malicious GitHub Link?
If you do click the link, it will lead to a download page for a malicious ZIP file. Fortunately, the attack doesn’t come into effect until you download the ZIP, use the password to unlock the folder, and then run the file within. Until that point, you can still back out, and you won’t be infected.
If you run the file within the folder, it will install the LummaC2 Trojan Stealer malware. As described by SOCRadar, this malware hides on the victim’s computer and begins scraping it for information. This includes any saved usernames and passwords in browsers, which is likely how the person who suffered an attack in the above example had people trying to breach their GitHub account.
LummaC2 Trojan Stealer can also add the target computer to a botnet, enlisting it in a larger network that the malicious agents can use to perform further attacks. And because LummaC2 Trojan Stealer is malware-as-a-service, it’s very easy for someone to bundle it into a ZIP file and spread it around.
How to Handle a Malicious GitHub Link
Fortunately, you can take plenty of countermeasures to avoid this nasty attack.
Be Careful Around Password-Protected ZIP Files
If you’re concerned about downloading something malicious on GitHub, the first warning sign is if it arrives in a password-protected ZIP file. When you password-protect a ZIP file, your computer encrypts the contentsto prevent people from peeking into files they’re not allowed to see.
However, this encryption is a double-edged sword, as it also hides any malicious apps from antivirus scans, allowing them to be downloaded and run without anything stopping them. There is little reason for anyone who’s sharing a fix to password-protect the ZIP file, so treat them with extreme caution.
If you download a file from a GitHub link and discover that it’s password-protected, you still have time to delete it if you don’t trust it. The malware needs to be unpacked and executed for it to work, so you can safely erase it without any risk of infection.
Keep an eye out for the comment’s contents. If it looks plain and devoid of proper content, it’s likely a copy-paste post designed to apply to any fix the malicious agent encounters. A good solution will post reasoning and ideas about the issue.
If you see a suspicious link, do not quote it to warn others that it’s malware. GitHub’s commenting system will detect the malware link in your comment and ban you. Make a separate comment without quoting it, and be sure to report the comment.
What to Do If You’re Infected
If you do run the file and it gets past your antivirus, reports state that it’s very hard for an antivirus to detect LummaC2 Trojan Stealer. Your best bet is to install a clean operating system and change your passwords.
While GitHub is full of helpful people, not everyone is who they say they are. Be vigilant when clicking GitHub links, and avoid getting hit by this nasty piece of work.
