View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Avast tackles aggressive GitHub cryptomining malware uploads

Malware installs a malicious Chrome extension that exploits an old version of AdBlock.

By James Nunns

New research from Avast Threat Labs shows that cybercriminals are aggressively uploading cryptocurrency mining malware to leading software development platform GitHub.

The culprits are forking other projects, (producing a copy of someone else’s project), to use it as a starting point and subsequently push a new commit with the malware to the project.

Venezuela, Indonesia, Egypt, India and Pakistan are the top 10 countries targeted.

The cybercriminals behind the malware are hiding malicious executables in the directory structure of the forked projects. People are tricked into downloading the malware through phishing ads shown on online gaming and adult websites, warning users that their Flash Player is outdated, for example, as well as through a fake adult content gaming site.

As the researchers note, with a soupçon of sarcasm: “Hosting malware on GitHub is unusual, but we have to admit, we see some of its benefits. The malware is hosted for free, on a reliable platform with unlimited bandwidth. The version history is available for malware researchers, like us, to view and on top of that, we can see the malware in real-time. Thank you very much!”

New security vulnerabilities found in smart devices
UK Leading Global Improvements in Security Maturity
Four cyber security trends to look out for in 2018

The malware incorporates a Monero miner that is also hosted on GitHub. In addition to mining, the malware also installs a malicious Chrome extension that exploits an old version of the AdBlock Chrome extension. The malicious script from the extension injects ads into victims’ Google and Yahoo search results, to make money from clicks

The researchers conclude: “The malware is still live and being hosted on GitHub. We are working together with GitHub, supplying them with new repositories containing the malware, which GitHub is removing. We have reached out to Google, notifying them of the extension. At the time of publishing this post, the extension has not been blocked by Google.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

They added: “We aren’t sure how much the cybercriminals behind this campaign have earned through the malicious extension and the mining malware. We tried looking up their Monero account balance, but sadly, Monero said ‘no!’”…

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.