From code to crime: exploring threats in GitHub Codespaces - Jaromir Horejsi & Nitesh Surana

Presented at the VB2024 conference in Dublin, 2 - 4 October 2024. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/slides/Slides-From-code-to-crime-exploring-threats-in-GitHub-Codespaces.pdf ↓ Paper: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/papers/From-code-to-crime-exploring-threats-in-GitHub-Codespaces.pdf → Details: https://www.virusbulletin.com/conference/vb2024/abstracts/code-crime-exploring-threats-github-codespaces/ ✪ PRESENTED BY ✪ • Jaromir Horejsi (Trend Micro) • Nitesh Surana (Trend Micro) ✪ ABSTRACT ✪ Cloud-based remote development environments allow developers to virtually develop code from anywhere and start right from any device with a browser and an internet connection. GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022 during the GitHub Universe online event. This cloud-based IDE allows developers and organizations to customize projects by using configuration-as-code features, easing some previous pain points in project development. Since any GitHub user could create Codespaces, it did not take long for attackers to find ways of abusing this service. Since June 2023, we have noticed in-the-wild campaigns spreading infostealer malware. We found that GitHub Codespaces was being abused to develop, host and exfiltrate stolen information via webhooks. This is the first time GitHub Codespaces has been abused by cybercriminals to develop infostealing malware. In this presentation we will introduce Github Codespaces and go through the different features of this service. We then have a look at the malicious campaigns and malware families observed in the wild. One interesting and discussed piece of malware is called DeltaStealer, a family of credential stealers implemented in Rustlang or frameworks like NodeJS. The stealer's source code seems to be a rinse-and-repeat of similar projects shared on GitHub, hence several variants of the malware exist. Some variants of the stealer possess quite unique features – in addition to implementing anti-debug features, credential stealing capabilities for Chromium-based web browsers, cryptocurrency wallets and applications like Discord and Steam, they achieve persistence using a well-known technique of patching Discord ASAR files. The patch lowers the security of the authentication process in Discord, and exfiltrates sensitive user information to a cloud-based webhook. The infostealers have been developed using cloud-based IDEs and contain interesting artifacts like debug symbols, which in turn reveal information about the developer(s) of the infostealer. The developer(s) behind this family of stealers are also quite active on various social media platforms, where they boast about the capabilities of their infostealers. In the presentation, we will include some of the screenshots shared on social media proving the usage of cloud-based IDEs. We will conclude the presentation with insights on how to hunt for similar threats, and recommendations on the measures one can take against such evolving threats where malware authors leverage cloud services to rapidly develop infostealers.