The notification that Various infection projects have been detected on GitHub malware that are directed to the popular IDE "NetBeans" and which is using in the compilation process to distribute the malware.
The investigation showed that with the help of the malware in question, which was called Octopus Scanner, backdoors were covertly hidden in 26 open projects with repositories on GitHub. The first traces of the Octopus Scanner manifestation are dated August 2018.
Securing the open source supply chain is a huge task. It goes way beyond a security assessment or just patching the latest CVEs. Supply chain security is about the integrity of the entire software development and delivery ecosystem. From code compromise, to how they flow through the CI / CD pipeline, to the actual delivery of releases, there is the potential for loss of integrity and security issues, throughout the entire lifecycle.
About Octopus Scanner
This malware discovered you can detect files with NetBeans projects and add your own code to project files and collected JAR files.
The working algorithm is to find the NetBeans directory with user projects, iterate over all projects in this directory to be able to place the malicious script in nbproject / cache.dat and make changes to the nbproject / build-impl.xml file to call this script every time the project is built.
During compilation, a copy of the malware is included in the resulting JAR files, which become an additional source of distribution. For example, malicious files were placed in the repositories of the aforementioned 26 open projects, as well as in various other projects when releasing builds of new versions.
On March 9, we received a message from a security researcher informing us about a set of repositories hosted on GitHub that were presumably serving malware unintentionally. After a deep analysis of the malware itself, we discovered something we hadn't seen before on our platform: malware designed to enumerate NetBeans projects and put in a backdoor that uses the build process and its resulting artifacts to spread.
When uploading and starting a project with a malicious JAR file by another user, the next search cycle of NetBeans and introduction of malicious code starts in your system, which corresponds to the working model of self-propagating computer viruses.
In addition to the functionality for self-distribution, the malicious code also includes backdoor functions to provide remote access to the system. At the time the incident was analyzed, the backdoor management (C&C) servers were not active.
In total, when studying the affected projects, 4 infection variants were revealed. In one of the options to activate the back door in Linux, the autorun file «$ HOME / .config / autostart / octo.desktop » and on windows the tasks were started via schtasks to start.
The backdoor could be used to add bookmarks to developer-developed code, organize code leakage from proprietary systems, steal sensitive data, and capture accounts.
Below is a high-level overview of the Octopus scanner's operation:
- Identify the user's NetBeans directory
- List all projects in the NetBeans directory
- Load the code in cache.datanbproject / cache.dat
- Modify nbproject / build-impl.xml to make sure the payload is executed every time the NetBeans project is built
- If the malicious payload is an instance of the Octopus scanner, the newly created JAR file is also infected.
GitHub researchers don't exclude malicious activity is not limited to NetBeans and there may be other variants of Octopus Scanner that can be integrated into the build process based on Make, MsBuild, Gradle and other systems.
The names of the affected projects are not mentioned, but can be easily found through a GitHub search for the mask "CACHE.DAT".
Among the projects that found traces of malicious activity: V2Mp3Player, JavaPacman, Kosim-Framework, 2D-Physics-the Simulations, PacmanGame, GuessTheAnimal, SnakeCenterBox4, CallCenter, ProyectoGerundio, pacman-java_ia, SuperMario-FR-.