Freely subscribe to our NEWSLETTER

"This attack utilized two initial access mechanisms. These techniques are the methods by which adversaries attempt to infect victim users. The two mechanisms were:

Spearphishing - This mechanism targeted academics. The phishing emails were crafted to look like kernel upgrade notifications, providing a link to run malicious code.

Trojanized GitHub Repositories - This mechanism mimicked GitHub repositories of legitimate proof-of-concept (PoC) exploits for known CVEs. However, the PoC code was changed to utilize malicious libraries, subsequently infecting the systems of victims who ran the copied repositories.

The term same second-stage payload indicates that regardless of phishing or malicious PoC code, the secondary payload dropped onto the victim systems was the same. Essentially, this means that the attackers had two delivery mechanisms - and targeted victims - to deliver the same payload, which was a backdoor that exfiltrated systems details and credentials, amongst other information.

The report indicated 49 malicious repositories masquerading as legitimate PoC code. They were strategically named to appear legitimate, as not to tip off adversaries. It is not irregular to see these types of numbers, as replicating a code repository with malicious code is trivial.

This is classified as a supply chain attack due to the exploit of libraries or tools utilized in code. In this case, the victims did not executed inherently malicious code. Instead, they executed code that incorporated a malicious package. Thus, analysis of the initial code would not warrant suspicion. It would require that users analyze the imported libraries in order to identify the malicious backdoor."