GitHub Actions Abuse by Cryptominers

Adversaries are abusing GitHub Actions to run known Cryptominers. GitHub Actions is a CI/CD solution to run scheduled tasks and provide CI/CD automation services for GitHub Repos. This attack doesn’t require any action from the repository owners and only requires the repository to behave GitHub Actions enabled.

This isn’t the first time GitHub Actions have been abused by Adversaries and it will not the last. Thankfully, it does nothing to compromise the CIA Triad for GitHubs users: Confidentiality, Integrity, and Accessibility. Instead, it leverages GitHub resources to perform Crypto mining on behalf of the Threat Adversary.

This attack comes at an interesting time in Cyber Security where growing concerns of Supply Chain attacks are causing some to consider if Open Sourced content provides any advantages over large and increasingly targeted Software Vendor companies.

The Attack Procedure

In this attack, the adversary forks a legitimate repository adds the code for the Cryptominer and creates a Pull Request for the legitimate repository owners to merge the code.

The attack leverages GitHub’s own infrastructure to run hours of their crypto miners. At the time when the Pull Request is made, GitHub Action would execute the adversary's code in a “windows-latest” environment to run the Cryptominer. A single observed investigated attack ran the job 98 times under different Job names which lasted 11hrs 11m and 18s before it was canceled when it exceeded the maximum execution time.

I have multiple repositories that leverage GitHub Actions. Mostly for Code Scanning and Analysis. However, my special public readme repository also uses workflow actions for GitHub-Readme-Stats and Wakatime data displays. The attack, on my repo, started at 5 am, Saturday morning and it took almost no time to determine it was a miner.

An image of GitHub Slack Integration notifying me of the Pull Request with 98 Actions running on my Repo.

The job downloaded the Batch and PortableExecutable (PE). The Batch file was then run which executed the executable with specific instructions to start mining operations for the Threat Actor leveraging GitHub resources.

The GitHub Action: Create yum.yml

Two files are used in the attack. One PE and one Microsoft Batch file named npm.exe and nani.bat respectively.

These files are hosted on GitLab under an npm project but the user chriskm0909. This is, of course, not at all related to the package manager for JavaScript.

Cryptominer SRBMiner_MULTI from GitLab named NPM.exe

The instructions from the batch file instruct the miner to use the argon2id_chulwa2 algorithm and join it to a pool at turlecoin[dot]herominers[dot]com.

The Batch file also contains the wallet ID: TRTLv3ZvhUDDzXp9RGSVKXcMvrPyV5yCpHxkDN2JRErv43xyNe5bHBaFHUogYVc58H1Td7vodta2fa43Au59Bp9qMNVrfaNwjWP.

Indicators of Attack

GitHub content owners whos Repositories are abused in these attacks with be able to identify the attack by observing a Pull Request creating a New Workflow in Actions for the targeted repository. The new Workflow, in my case, was named with Chinese characters.

SS服务密码SS translated is “ssService Passwordss”.

The merge was named “lkiopolo:patch-1”.

File Name” NPM.exe

File Description: SRBMiner_MULTI

File Version: 0.7.1

Copyright 2021 D0kt0r

SHA256: 798ca6782892c2252a487dd055b32b73af1f9cb78febd9a4eb77aff7bf661be7

MD5: ac62631ab40bd84a2b7df138db1ab32a

Nani.bat renamed as mas.bat at Execution

SHA256 : c7d1a1286802d9ffea20389511c612adeb074ae3cb52078352cf34e572eb5621

MD5: f9f83fa546cdd1544284d5f8fa28d497



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Christian Taillon

A cyber nerd who believes that you don’t have to work at the same company to be on the same team.