A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries.
The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code.
In the samples analyzed by the security team at DFIR.it, the malicious apps downloaded a Java-based malware named Supreme NYC Blaze Bot (supremebot.exe).
According to researchers, this appeared to be a "
sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.
All the GitHub accounts that were hosting these files --backdoored versions of legitimate apps-- have now been taken down.
One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another
73 apps were hosted across
88 other accounts.
The accounts that did not host backdoored apps were used to "star" or "watch" the malicious repositories and help boost their popularity in GitHub's search results.
