The Octopus Scanner malware, which targets the Apache NetBeans Java integrated development environment (IDE), has been nesting in at least 26 GitHub source-code repositories, according to researchers – waiting to take over developer machines.
A team from GitHub Security Labs, acting on a tip from a white-hat going by “JJ,” has found that the malware hides within GitHub-hosted open-source code bases, waiting to for developers to download a project from an infected repository. Once a developer does so, Octopus Scanner unfurls itself, first scanning the developer’s computer for the presence of NetBeans.
NetBeans is a somewhat obscure IDE, which offers modular development components that developers can put together to create develop Java-based desktop, mobile and web applications, as well as HTML5 applications with HTML, JavaScript and CSS.
“It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today,” GitHub researchers noted, in a posting this week. “If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed.”
If Octopus Scanner detects NetBeans, it proceeds to install an initial-stage dropper, which in turn fetches and executes a remote access trojan (RAT), thus providing the attackers with full control over the target machine. Then, for persistence, the malware blocks overwrites and new project builds, so that the infected code isn’t superseded with an update or any changes.”
“Since the primary-infected users are developers, the access that is gained is of high interest to attackers since developers generally have access to additional projects, production environments, database passwords and other critical assets,” the GitHub team wrote. “There is a huge potential for escalation of access, which is a core attacker objective in most cases.
In other words, by infecting the open-source supply chain in this manner, the malware can spread its tentacles far and wide. As Brian Fox, CTO at Sonatype, explained via email, Octopus Scanner spreads like a worm, promulgating itself by infecting the NetBeans projects that the developer is working on.
“We’ve seen over 20 one-off attempts at malicious code injection within open-source software projects, but this is a new form of attack,” he explained. “This attack infects developer tools that subsequently infect all of the projects they are working on. It’s been open season on open source for a number of years, developers are on the front lines, and a new weapon has arrived on the battlefront.”
In all, 26 source-code repositories have been found that contain the malware, which the GitHub team said has a low detection rate on VirusTotal. They determined that Octopus Scanner has probably been floating around in the GitHub waters since 2018.
Octopus Scanner infects legitimate projects, including files that provide dependencies to the main pieces of a repository’s code. As such, it’s not possible to simply block or deleting the repositories or infected files – so cleanup can be labor-intensive.
“A NetBeans project build consists of multiple steps, but the Octopus Scanner malware is only interested in the pre-jar and post-jar tasks,” explained the GitHub researchers. “The pre-jar tasks provide hooks into the build at the point where all Java classes are compiled but before they are zipped into a final JAR artifact. The post-jar tasks provide hooks into the build at the point the JAR has actually been created.”
Sonatype’s Fox added that the choice of infecting these files makes hunting Octopus Scanner a detailed endeavor: “I’ve always described this in terms of a tainted food project. If you inspect a salad recipe, you’ll find all of the common ingredient names (a.k.a. the manifest), but quality is not an attribute of the ingredient list. ‘Tainted lettuce’ won’t be listed as an ingredient, but that doesn’t mean you won’t end up with E. coli when using it.”
Also, the fact that it goes after open-source repositories means that the true area of Octopus Scanner’s activity could be difficult to assess, since various infected pieces of code can be used in untold numbers of projects and applications.
“it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked and used on potentially many different systems,” according to GitHub researchers. “The actual artifacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact.”
Erez Yalon, head of security research at Checkmarx, said via email that the issue illustrates security concerns involving third-party code and code reuse in general.
“Third party code modules have become a business necessity, as organizations race towards digital transformation,” he said. “When organizations enlist a third-party code module, it means they are trusting the third party to not be malicious and to prioritize security. Unfortunately, regardless of the trust instilled, we still encounter malicious activities in open source. We continue to see various malicious activities that target developers who use packages, often involving backdoors that are hidden as dependencies in legitimate projects (such as getcookies), typosquatting, as well as targeting the maintainer of the package (such as eslint-scope).”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.