Keypoints
- Adversaries use GitHub to host and deliver payloads, exploit repository features for command-and-control, and occasionally exfiltrate data.
- Primary abuse patterns identified: payload delivery, dead drop resolving (DDR), full C2, and exfiltration; repository poisoning and phishing hosting are also observed.
- GitHub’s legitimate traffic makes malicious use harder to detect and attribute, enabling blending-in tactics termed “living-off-trusted-sites (LOTS).”
- Short-term defender measures include flagging or blocking specific GitHub services known to be abused; long-term measures require targeted detection development.
- Recorded Future expects increased abuse and recommends defenders invest in advanced detection, broader visibility, and multiple detection angles.
- Legitimate Internet Services (LIS) may need to adopt product and policy changes, using their visibility to help mitigate abuse.
MITRE Techniques
- [T1105] Ingress Tool Transfer – GitHub used to host and deliver malware and tools (‘payload delivery’)
- [T1102] Web Service – Public GitHub services leveraged to retrieve instructions and hidden data (‘dead drop resolving (DDR)’)
- [T1071.001] Application Layer Protocol: Web Protocols – Full command-and-control implemented over web protocols using GitHub-hosted endpoints (‘full command-and-control (C2)’)
- [T1567] Exfiltration Over Web Service – Data exfiltration conducted through GitHub-hosted resources (‘exfiltration’)
- [T1195.002] Compromise Software Dependencies and Development Tools – Repository poisoning and use of compromised repositories to deliver or propagate malicious code (‘repository poisoning techniques’)
- [T1583] Acquire Infrastructure – Adoption of a “living-off-trusted-sites (LOTS)” approach by using legitimate services like GitHub as attacker infrastructure (‘living-off-trusted-sites (LOTS) approach’)
Indicators of Compromise
- [URL] Report download – https://go.recordedfuture.com/hubfs/reports/cta-2024-0111.pdf (PDF of the Recorded Future analysis)
- [URL] Source article – https://www.recordedfuture.com/flying-under-the-radar-abusing-github-malicious-infrastructure (original post linking full report)
- [File name] Image assets referenced – Breakdown_abused_Git_Hub_services_94474b4043.png, insikt_group_logo_updated_3_300x48_b5390f4ff2.png (figures included in the article)
Adversaries increasingly leverage GitHub as a multipurpose platform for malicious infrastructure: hosting and delivering payloads, using public assets as dead drop resolvers (DDR) to hide and retrieve instructions, running full command-and-control over GitHub-hosted endpoints, and occasionally exfiltrating data via its services. Attackers also employ repository poisoning to inject malicious code into development workflows and host phishing pages or infection vectors on GitHub properties, exploiting the platform’s normal use patterns to evade detection.
From a defensive perspective, Recorded Future recommends a two-tiered approach: short-term mitigations such as flagging or blocking specific GitHub services and endpoints known to be abused, and long-term investments in tailored detection capabilities that account for legitimate GitHub traffic. Effective defenses require greater visibility across network and endpoint telemetry, multiple detection angles (e.g., behavioral and content-based), and collaboration with legitimate internet service providers to leverage their visibility and implement product or policy changes that limit abuse.
Organizations should treat LIS-based abuse as an emerging third-party risk: enhance monitoring for atypical GitHub usage patterns, incorporate repository and artifact integrity checks into CI/CD pipelines, and prioritize detection rules for payload retrieval, DDR behavior, C2 over web protocols, and suspicious exfiltration to cloud/code services. These focused controls, combined with broader visibility and vendor cooperation, form the practical steps defenders can take to reduce GitHub-facilitated malicious activity.
Read more: https://www.recordedfuture.com/flying-under-the-radar-abusing-github-malicious-infrastructure