Cryptojacking Campaign Employs Deleted GitHub Account and Unofficial GitHub CDN
Either way, the crypto mining code then works in the background as unsuspecting victims use their computers normally.
Cybercriminals appear to have an obsession with abusing GitHub and GitHub-related services to hide in-browser cryptocurrency mining scripts that they later use on hacked sites.
There have been quite a few cryptojacking campaigns in the past months where crooks abused GitHub. The first of these incidents was reported back in December 2017 when hackers abused the code-sharing site by uploading cryptojacking scripts on GitHub accounts and then loading them on hacked sites via the GitHub.io domain.
Cryptojackers abuse RawGit CDN
Now, researchers from cyber-security firm Sucuri say they’ve found another, more clever way, in which crooks abused not GitHub, but an unofficial GitHub-related service.
This service is RawGit, a CDN service that caches GitHub files indefinitely, even after the original file has been deleted from GitHub or the GitHub user has deleted his account.
Sucuri says that a recent cryptojacking operation has uploaded a version of the Crypto-Loot in-browser miner on a GitHub account named jdobt, cached the cryptojacking script inside RawGit, and then deleted the original GitHub account.
That attacker later embedded this cryptojacking script on hacked sites using the RawGit URL, a domain that’s not usually considered suspicious and susceptible to additional scans by security software.
RawGit’s fast abuse department foils attackers’ scheme
But while the three previous cryptojacking campaigns that leveraged GitHub domains were somewhat successful, this one appears to be a colossal failure, and for two very different reasons.
First, the crooks appear to have hit a snag with embedding the Crypto-Loot script on hacked sites. Sucuri says the script failed to actually load, execute, and generate profit for the operators.
Second, Sucuri says that the RawGit team was incredibly fast and responsive when it came to abuse reports, taking down the cached URLs within a matter of hours after the initial report.
The person or group behind this campaign might have thought he found a clever way to keep scripts online even after files were deleted from Github, but he apparently didn’t take into account RawGit’s quick response and its staff’s dedication to keeping their CDN free of any malware.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: