The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as dead drop resolvers, command-and-control, and data exfiltration points.
“Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security defenses and making upstream infrastructure tracking and actor attribution more difficult,” Recorded Future said in a report shared with The Hacker News.
The cybersecurity firm described the approach as “living-off-trusted-sites” (LOTS), a spin on the living-off-the-land (LotL) techniques often adopted by threat actors to conceal rogue activity and fly under the radar.
Prominent among the methods by which GitHub is abused relates to payload delivery, with some actors leveraging its features for command-and-control (C2) obfuscation. Last month, ReversingLabs detailed a number of rogue Python packages that relied on a secret gist hosted on GitHub to receive malicious commands on the compromised hosts.
While full-fledged C2 implementations in GitHub are uncommon in comparison to other infrastructure schemes, its use by threat actors as a dead drop resolver – wherein the information from an actor-controlled GitHub repository is used to obtain the actual C2 URL – is a lot more prevalent, as evidenced in the case of malware like Drokbk and ShellBox.
Also rarely observed is the abuse of GitHub for data exfiltration, which, per Recorded Future, is likely due to file size and storage limitations and concerns around discoverability.
Outside of these four main schemes, the platform’s offerings are put to use in various other ways in order to meet infrastructure-related purposes. For instance, GitHub Pages have been used as phishing hosts or traffic redirectors, with some campaigns utilizing GitHub repositories as a backup C2 channel.
The development speaks to the broader trend of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord being exploited by threat actors. This also extends to other source code and version control platforms like GitLab, BitBucket, and Codeberg.
“There is no universal solution for GitHub abuse detection,” the company said. “A mix of detection strategies is needed, influenced by specific environments and factors such as the availability of logs, organizational structure, service usage patterns, and risk tolerance, among others.”
________________________________________________
🚀 Dominate the Digital World with the Best Hosting in Argentina! 🚀
At Full Tech Solutions, we provide high-performance Cloud Hosting, perfect for entrepreneurs, businesses, and developers who need speed, security, and expert support.
✨ Lightning-Fast Speed: Your website will load in the blink of an eye.
🔒 Top-Notch Security: Advanced protection for your data and peace of mind for your business.
📞 24/7 Support: Our team of experts is always ready to help you.
Don’t just choose any hosting. Choose the best with Full Tech Solutions and stand out from the crowd.
🌐 Boost your online presence with Argentina’s most reliable hosting!
