Ask HN: I found malware on GitHub. How do I analyze the malware further?

19 points by koheripbal ↗ HN
I have discovered some malicious behavior (corrected from title) in [Mark Text](https://github.com/marktext/marktext)....

I ran Fiddler to profile Mark Text, and the program phones home... and more....

It exports a few basic things [such as your public IP address](https://i.imgur.com/UxyHkbA.png), and then a bunch of encrypted data (cannot decipher). ...then it downloads a packaged Chrome extension app (CR24 format). ...when unzipping that file, you can see [a base64 encoded payload](https://i.imgur.com/5rKwjW0.png) - which expands [to this](https://i.imgur.com/jMbd8st.png), and then an [unencrypted list of websites](https://i.imgur.com/H0twSDk.png), which is very clearly malicious.

To be clear, I downloaded this [directly from Github](https://github.com/marktext/marktext).

Unfortunately, my skills are limited and I cannot find references to the initial malicious URL in the code - though I did discover that you can [search Github code like this...](https://github.com/search?q=in%3Afile+gvt1+repo%3Amarktext%2Fmarktext)

Credit to /u/Phily83 for first [seeing the network activity](https://ibb.co/zbHxbBv).

7 comments

[ 3.3 ms ] story [ 27.2 ms ] thread
While I can't speak to the list of sites that you see, but since the project includes electron-builder (one of the solutions to auto update apps) I would not be surprised to see redirector.gvt1.com activity as it is a google redirector service used to do things like updates.

This link/bug report might also be pertinent:

https://bugs.chromium.org/p/chromium/issues/detail?id=755068...

What makes it seem suspicious is that it sends my public IP address in the URL as a parameter, has encrypted traffic in both directions, and downloads a bunch of suspicious looking domain names...

    10proga.ru
    123moviesgoto.com
    1progs.ru
    1sa.com.ua
    24smi.co
    24smi.org
    2drive.ru
    2hpc.ru
    2recepta.com
    3.kino.filmive-hd.net
    34travel.me
...etc...

I've opened an issue on Github: https://github.com/marktext/marktext/issues/2418

Look like it was a false alarm - devs checked the output out.
The list of malicious sites is probably the safebrowsing block list in Google chrome. gvt1.com is a Google site used to download various Chrome related assets. Marktext uses Electron so it is automatically downloading these.

EDIT: After decompressing http://r4---sn-8xgp1vo-xfgs.gvt1.com/edgedl/release2/chrome_... (linked in the Github issue) and looking at the manifest.json, this is an extension called "Crowd Deny." Reading https://forum.vivaldi.net/topic/43831/crowd-deny-what-is-it/..., it seems to be used as a blacklist to stop push notification spam.

So any Chromium/Electron app will download the list each day?
Maybe not every day but the list is periodically updated and if you reset your Chrome profile or delete the apps data directory it probably will.
(comment deleted)