Cryptojacking Campaign Employs Deleted GitHub Account and Unofficial GitHub CDN

Cybercriminals appear to have an obsession with abusing GitHub and GitHub-related services to hide in-browser cryptocurrency mining scripts that they later use on hacked sites.

There have been quite a few cryptojacking campaigns in the past months where crooks abused GitHub. The first of these incidents was reported back in December 2017 when hackers abused the code-sharing site by uploading cryptojacking scripts on GitHub accounts and then loading them on hacked sites via the GitHub.io domain.

A few months later, crooks did the same thing, but instead of using the GitHub.io domain, they switched to loading the scripts using GitHub's default CDN of raw.githubusercontent.com.

Third, when crooks saw that their tactics had been discovered and countered by security firms and software, they switched again to a new URL scheme and began loading cryptojacking scripts stored on GitHub from github.com/user/repository/raw/ links.

Cryptojackers abuse RawGit CDN

Now, researchers from cyber-security firm Sucuri say they've found another, more clever way, in which crooks abused not GitHub, but an unofficial GitHub-related service.

This service is RawGit, a CDN service that caches GitHub files indefinitely, even after the original file has been deleted from GitHub or the GitHub user has deleted his account.

Sucuri says that a recent cryptojacking operation has uploaded a version of the Crypto-Loot in-browser miner on a GitHub account named jdobt, cached the cryptojacking script inside RawGit, and then deleted the original GitHub account.

That attacker later embedded this cryptojacking script on hacked sites using the RawGit URL, a domain that's not usually considered suspicious and susceptible to additional scans by security software.

The technique is arguably very clever, as it abuses a service known only to web developers, who often used RawGit URLs in the past for their HTML previewing functionality (as Bleeping Computer does with its Patch Tuesday reports).

RawGit's fast abuse department foils attackers' scheme

But while the three previous cryptojacking campaigns that leveraged GitHub domains were somewhat successful, this one appears to be a colossal failure, and for two very different reasons.

First, the crooks appear to have hit a snag with embedding the Crypto-Loot script on hacked sites. Sucuri says the script failed to actually load, execute, and generate profit for the operators.

Second, Sucuri says that the RawGit team was incredibly fast and responsive when it came to abuse reports, taking down the cached URLs within a matter of hours after the initial report.

The person or group behind this campaign might have thought he found a clever way to keep scripts online even after files were deleted from Github, but he apparently didn't take into account RawGit's quick response and its staff's dedication to keeping their CDN free of any malware.