April 3, 2017 By Larry Loeb 2 min read

Early this year, Palo Alto Networks observed that developers who posted their work on GitHub were receiving phishing emails from .ru domains. The attackers used social engineering ploys to influence recipients to open malicious attachments. Some emails included compliments on posted code, while others featured job offers or other misleading links in the body text.

Despite different body texts, the emails all included the same attachment: a .gz file that resolves to a .doc file. In actuality, the attachment was an embedded PowerShell command that would download and run a file called Dimnie. Dimnie has existed since 2014, the researchers said, but only previously targeted Russian users.

Phishing for Developers

Gervase Markham, a policy engineer at Mozilla, told CSO Online that he had received several such messages, but they were sent to an email address that he specifically used on GitHub. Because of this, he felt that the campaign had been using automated targeting.

Dimnie is stealthy and sophisticated. It cloaks the internal GET requests so that they appear to go to Google-owned domain names, but they actually go to an attacker-controlled IP address. The malware downloads various modules for functions such as keylogging, screen grabbing and more. Once downloaded, it leaves no direct trace of these modules on the target computer’s hard drive.

Basically, Dimnie is designed to steal information. It stores itself and the information it gets into memory to cover its footprints. There is even a self-destruct module to remove any residual traces left on the target machine.

Once Dimnie has grabbed its targeted information, the swag is encrypted using AES-256 in Electronic Codebook (ECB) mode and then appended to image headers. This tricky method is an attempt to bypass traditional intrusion prevention systems.

The purpose of the malware is to gather all the information it can about a targeted developer. If the credentials are exfiltrated, a later impersonation on GitHub is possible. The developer’s source code could then be altered by the impersonator, perhaps by adding a malicious payload.

Sophisticated Attacks

Palo Alto did not name the attacker directly, but the techniques that Dimnie uses are typical of state-sponsored attacks. These techniques include the loading of malicious code directly into memory, sophisticated data exfiltration methods and the use of relatively quiet command-and-control (C&C) channels, which mask the malware’s communications. Such protocols suggest that this malware is somewhat advanced.

GitHub has evolved into the de facto repository for open source code; even Microsoft recently threw in the towel in this sector, shutting down its competing service. With this malware online, GitHub users will have to carefully watch communications and messages to avoid falling victim to the next Dimnie-inspired attack that comes along.

More from

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today