A threat actor known as MUT-1244 has been targeting security researchers, red teamers, and even other malicious actors in a year-long campaign. The attackers used trojanized proof-of-concept (PoC) code to deliver malware and steal sensitive data from compromised systems. Datadog Security Labs discovered that MUT-1244 employed various methods to gain access to victim systems.
These included phishing campaigns targeting academics researching high-performance computing (HPC) and creating fake GitHub repositories disguised as PoCs for known vulnerabilities. The malicious repositories contained hidden code that infected users who downloaded and executed them. Techniques used by the attackers included backdoored configuration files, malicious PDFs, Python dropper scripts, and hidden npm packages.
Targeting security researchers through PoCs
One significant revelation was the theft of over 390,000 WordPress credentials using a trojanized tool named “yawpp.” The tool was advertised as a legitimate WordPress credentials checker, making it effective for tricking users. Commenting on the issue, an expert from Bugcrowd stated, “Targeting red-teamers and security researchers through fake PoCs is a known technique but remains effective for watering-hole attacks.” The expert emphasized the need for those providing offensive security services to be aware of exploitable supply chains.
The ultimate goal of MUT-1244 was to deliver a payload that updates a cryptocurrency miner, backdoors systems, and exfiltrates sensitive information such as private SSH keys, AWS access keys, and environment variables. Checkmarx researchers noted that the combination of regular updates, seemingly legitimate functionality, and strategic dependency placement allowed the malicious npm package to remain undetected on the registry for over a year. Both Datadog and Checkmarx have shared indicators of compromise to help potential victims check if they have been affected by the campaign.
The discovery highlights the ongoing threats faced by cybersecurity professionals and emphasizes the need for continuous vigilance and stringent security measures when handling potentially dangerous code and repositories.