Ask HN: I found malware on GitHub. How do I analyze the malware further?

19 points

6 years ago

I have discovered some malicious behavior (corrected from title) in [Mark Text](https://github.com/marktext/marktext)....

I ran Fiddler to profile Mark Text, and the program phones home... and more....

It exports a few basic things [such as your public IP address](https://i.imgur.com/UxyHkbA.png), and then a bunch of encrypted data (cannot decipher). ...then it downloads a packaged Chrome extension app (CR24 format). ...when unzipping that file, you can see [a base64 encoded payload](https://i.imgur.com/5rKwjW0.png) - which expands [to this](https://i.imgur.com/jMbd8st.png), and then an [unencrypted list of websites](https://i.imgur.com/H0twSDk.png), which is very clearly malicious.

To be clear, I downloaded this [directly from Github](https://github.com/marktext/marktext).

Unfortunately, my skills are limited and I cannot find references to the initial malicious URL in the code - though I did discover that you can [search Github code like this...](https://github.com/search?q=in%3Afile+gvt1+repo%3Amarktext%2Fmarktext)

Credit to /u/Phily83 for first [seeing the network activity](https://ibb.co/zbHxbBv).

6 comments