From Code to Crime: Exploring Threats in GitHub Codespaces

Cloud-based remote development environments allow developers to virtually code from anywhere and start right from any device with a browser and an internet connection. GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022 during the GitHub Universe online event. This cloud-based IDE allows developers and organizations to customize projects by using configuration-as-code features, easing some previous pain points in project development. Since any GitHub user could create Codespaces, it did not take long for attackers to find ways of abusing this service. Since June 2023, we have noticed in-the-wild campaigns spreading infostealer malware. We found that GitHub Codespaces was being abused to develop, host, and exfiltrate stolen information via webhooks.

This is the first time GitHub Codespaces has been abused by cybercriminals to develop infostealing malware.

In this presentation, we will introduce Github Codespaces and go through the different features of this service. We then have a look at the malicious campaigns and malware families observed in-the-wild. One interesting and discussed piece of malware is called DeltaStealer, a family of credential stealers implemented in Rustlang or frameworks like Electron. The stealer’s source code seems to be a rinse-and-repeat of similar projects shared on GitHub and hence, several variants of the malware exist. Some variants of the stealer possess quite unique features – in addition to implementing anti-debug features, credential stealing capabilities for Chromium-based web browsers, cryptocurrency wallets and applications like Discord, Steam, they achieve persistence using a well-known technique of patching ASAR files of Discord. The patch lowers the security of authentication process in Discord, and exfiltrates sensitive user information to a cloud-based webhook.

The infostealers have been developed using cloud-based IDEs and contain interesting artifacts like debug symbols which in turn reveal information about the developer(s) of the infostealer. The developer(s) behind this family of stealers are also quite active on various social media platforms, where they boast the capabilities of their infostealers. In the presentation, we will include some of the screenshots shared on social media proving the usage of cloud-based IDEs.

We will conclude the presentation with insights on how to hunt for similar threats and recommendations on the measures one can take against such evolving threats where malware authors leverage cloud services to rapidly develop infostealers.

Jaromir Horejsi – Trend Micro

Jaromir Horejsi is a Senior Threat Researcher for Trend Micro Research. He specializes in tracking and reverse-engineering threats such as APTs, DDoS botnets, banking Trojans, click fraud, and ransomware that target both Windows and Linux. His work has been presented at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf, and CARO.