- MUT-1224 uses two initial access vectors to compromise their victims, both leveraging the same second-stage payload: a *phishing campaign targeting thousands of academic researchers and a large number of trojanized GitHub repositories, such as proof-of-concept code for exploiting known CVEs.
- Over 390,000 credentials, believed to be for WordPress accounts, have been exfiltrated to the threat actor through the malicious code in the trojanized "yawpp" GitHub project, masquerading as a WordPress credentials checker.
- Hundreds of victims of MUT-1244 were and are still being compromised. Victims are believed to be offensive actors—including pentesters and security researchers, as well as malicious threat actors— and had sensitive data such as SSH private keys and AWS access keys exfiltrated.
- We assess that MUT-1244 has overlap with a campaign tracked in previous research reported on the malicious npm package
0xengine/xmlrpc
and the malicious GitHub repositoryhpc20235/yawpp
.
We would like to thank the team at SpyCloud for their support in this research.
Summary
Security professionals are a valuable target for threat actors, as they tend to have wide privileges and handle sensitive information. In 2022, a team at Leiden University in the Netherlands released a research paper showing that attackers commonly publish fake, trojanized exploit code, in the hope that someone will run it. More recently, research by Uptycs and SonicWall shows the opportunistic nature of these attacks, with threat actors publishing fake proof-of-concept exploit code as popular vulnerabilities get disclosed.
In late November, a report was published discussing a malicious npm package, 0xengine/xmlrpc
, and an associated GitHub repository, hpc20235/yawpp
. The report also describes a second-stage payload, hosted at https://codeberg[.]org/k0rn66/xmrdropper
, which—contrary to its name—does more than just updating a cryptocurrency miner; it also backdoors the system and exfiltrates system information, private SSH keys, environment variables, and the content of select folders (such as ~/.aws
) to the file sharing service file[.]io.
In this post, we share the conclusion of our investigation on this threat actor, dubbed MUT-1244. We use the "MUT" (mysterious unattributed threat) designation to track clusters unattributed to a known threat actor. By leveraging open source intelligence (OSINT) techniques, we were able to uncover the full extent of the activities of MUT-1244. Notably, the attacker leverages several initial access techniques spread across a phishing campaign and dozens of trojanized GitHub repositories to deliver the same second-stage payload. Our investigation also uncovered that MUT-1244 was able to exfiltrate over 390,000 credentials, believed to be accounts for WordPress websites, by compromising unrelated threat actors who had access to these credentials.