EXECUTIVE SUMMARY
The attacker behind the ForceMemo campaign is an individual or group that has compromised hundreds of GitHub accounts and injected identical malware into hundreds of Python repositories. The primary target of this attack appears to be Python projects, including Django apps, machine learning research code, Streamlit dashboards, and PyPI packages. The attacker's goal is to gain access to sensitive data and potentially disrupt the operations of affected organizations.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The attacker behind the ForceMemo campaign is an individual or group that has compromised hundreds of GitHub accounts and injected identical malware into hundreds of Python repositories. The primary target of this attack appears to be Python projects, including Django apps, machine learning research code, Streamlit dashboards, and PyPI packages. The attacker's goal is to gain access to sensitive data and potentially disrupt the operations of affected organizations.[emaillocker id="1283"]
The malware infects systems through a series of steps, starting with an account takeover via the GlassWorm malware, which steals GitHub tokens from compromised developers. The attacker then uses these credentials to force-push malware into the victim's repositories, appending obfuscated code to key Python files. Once inside, the malware checks if the system is Russian, and if so, execution is skipped to avoid targeting domestic systems.
The malware then reads its instructions from the Solana blockchain, querying a specific Solana address for transaction memos containing JSON data with a payload URL. This approach makes the C2 instructions immutable and censorship-resistant. The ForceMemo campaign is significant for organizations that rely on Python projects and GitHub repositories, as it highlights the importance of monitoring network activity, file system changes, and process activity on GitHub Actions runners. This attack demonstrates the need for robust security measures, including patching, monitoring, backups, and endpoint protection, to prevent similar supply chain attacks. Organizations should also consider using tools like Harden-Runner to detect anomalous behavior and prevent malware from reaching the Solana C2, downloading Node.js, or exfiltrating data.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| Execution | T1204 | User Execution | – |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| Defense Evasion | T1070 | Indicator Removal | – |
| Defense Evasion | T1112 | Modify Registry | – |
| Defense Evasion | T1564 | Hide Artifacts | – |
| Command and Control | T1105 | Ingress Tool Transfer | – |
| Command and Control | T1102 | Web Service | – |
| Command and Control | T1132 | Data Encoding | – |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol | – |
| Exfiltration | T1567 | Exfiltration Over Web Service | – |
REFERENCES:
The reports contain further technical details:
[/emaillocker]