A dangerous new threat has emerged on GitHub, with malicious actors creating a fake version of the legitimate macOS application, Triton, to distribute Windows-based malware. This sophisticated attack exploits the open-source platform to lure unsuspecting users into downloading harmful executables, highlighting a growing trend of threat actors leveraging code repositories for illicit purposes.
The fraudulent repository, under the account “JaoAureliano,” was a direct copy of the original Triton app developed by Otávio C. Instead of offering the intended software, this malicious fork directed users to download a ZIP file containing malware specifically designed to compromise Windows systems. Security researchers discovered the exploit after noticing unusual activity on an IRC server, with the fake repository remaining active despite reports to GitHub at the time of discovery.
Malicious Triton Fork Distributes Windows Malware via GitHub
The attack vector utilized in this incident was notably direct. Malicious download links were embedded repeatedly within the repository’s README file, making it easily accessible to anyone browsing the project. The threat actor strategically placed the malware package, named “Software_3.1.zip,” within an Xcode colorset directory, a seemingly innocuous location that could mislead users into believing it was a legitimate part of the application’s assets. Despite Triton being a macOS-exclusive application, the downloaded archive contained executables targeting Windows operating systems.
Security researcher Brennan was instrumental in identifying the malicious repository. Analysis of the malware sample through VirusTotal revealed a detection rate of 12 out of 66 vendors, with the associated file hash being 39b29c38c03868854fb972e7b18f22c2c76520cfb6edf46ba5a5618f74943eac. Further investigation into the GitHub account associated with the malicious fork uncovered several red flags. The commit history appeared sparse, with only two repositories listed. However, the contribution graph was artificially manipulated using automated scripts to create the appearance of consistent activity through backdated dummy commits.
Adding to the suspicious nature of the account, the repository topics included unusual tags such as “malware,” “deobfuscation,” and “symbolic-execution.” These tags may have been intentionally used to masquerade the malicious content as educational security research, further attempting to deceive potential victims. This incident is indicative of a broader pattern where GitHub is exploited as a platform for distributing malware. Similar campaigns have been observed, underscoring the need for enhanced vigilance within the open-source community.
Infection Mechanism and Evasion Tactics
The malware employs a multi-stage execution chain to ensure its survival and effectiveness on compromised systems. The process begins with the extraction of the malicious archive using 7za.exe, with the password “infected” used to unpack the files. The payload then leverages LuaJIT for its scripting capabilities, incorporating a range of sophisticated evasion techniques. These include detecting whether it is running in a debug environment, employing extended sleep timers to bypass sandbox analysis, and actively detecting virtualization software.
To mask its network communications, the malware crafts command-and-control channels that mimic legitimate Microsoft Office traffic. It utilizes domains such as nexusrules.officeapps.live.com and svc.ha-teams.office.com for this purpose. The malware also performs IP discovery through ip-api.com and engages in blockchain communications with polygon-rpc.com, further obfuscating its true activities.
The malware conducts extensive system reconnaissance to understand the environment it has infiltrated. This involves checking for the presence of common development environments like Java, Python, and .NET installations, as well as examining security software logs. To establish persistence and gather crucial configuration data, it accesses specific registry keys. Furthermore, the malware engages in file operations within system directories, likely to facilitate privilege escalation and gain deeper access to the compromised machine.
Organizations are strongly advised to verify the authenticity of any repository before downloading files, especially from forks on platforms like GitHub. Security teams should implement proactive monitoring for the identified file hash and network indicators associated with this malware. The deployment of robust endpoint detection and response (EDR) solutions is also crucial in identifying and mitigating such threats effectively. The ongoing exploitation of open-source platforms necessitates a continuous refinement of security practices and vigilance against evolving malware distribution tactics.