GitHub’s Security Incident Response Team (SIRT) has warned of a malware campaign that has been spreading on GitHub via compromised Java projects. The existence of the campaign has come to light in early March, when a security researcher has contacted the team about a set of GitHub repositories they discovered that have been actively serving malware.
Further investigation showed that the malware, dubbed Octopus Scanner, is designed to compromise NetBeans projects. The team found 26 open source projects that were backdoored by this malware and that were actively serving backdoored code, and the owners of affected projects were completely unaware of it.
The Octopus Scanner identifies the NetBeans project files and embeds malicious payload both in project files and build JAR files.
Below is a high -evel description of the Octopus Scanner operation:
Identify user's NetBeans directory
Enumerate all projects in the NetBeans directory
Copy malicious payload cache.dat to nbproject/cache.dat
Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build
If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.
It appears the Octopus Scanner malware campaign has been going on for years. The researchers said the oldest sample of the malware was uploaded on the VirusTotal in August 2018.
“Even though the malware C2 servers didn't seem to be active at the time of analysis, the affected repositories still posed a risk to GitHub users that could potentially clone and build these projects,” the security team said.