A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker.

Researchers at Datadog Security Labs, who spotted the attacks, say that SSH private keys and AWS access keys were also stolen from the compromised systems of hundreds of other victims, believed to include red teamers, penetration testers, security researchers, as well as malicious actors.

The victims were infected using the same second-stage payload pushed via dozens of trojanized GitHub repositories delivering malicious proof-of-concept (PoC) exploits that targeted known security flaws, along with a phishing campaign prompting targets to install a fake kernel upgrade camouflaged as a CPU microcode update.

While the phishing emails tricked victims into executing commands that installed the malware, the fake repositories duped security professionals and threat actors seeking exploit code for specific vulnerabilities.

Threat actors have used fake proof-of-concept exploits in the past to target researchers, hoping to steal valuable research or gain access to the networks of cybersecurity firms.

“Due to their naming, several of these repositories are automatically included in legitimate sources, such as Feedly Threat Intelligence or Vulnmon, as proof-of-concept repositories for these vulnerabilities,” the researchers said.” This increases their look of legitimacy and the likelihood that someone will run them.”

The payloads were dropped via GitHub repos using multiple methods, including backdoored configure compilation files, malicious PDF files, Python droppers, and malicious npm packages included in the projects’ dependencies.

As Datadog Security Labs found, this campaign overlaps with one highlighted in a November Checkmarkx report about a year-long supply-chain attack in which the “hpc20235/yawp” GitHub project was trojanized using malicious code in the “0xengine/xmlrpc” npm package to steal data and mine Monero cryptocurrency.

Malware deployed in these attacks includes a cryptocurrency miner and a backdoor that helped MUT-1244 collect and exfiltrate private SSH keys, AWS credentials, environment variables, and key directory contents such as “~/.aws.” 

The second-stage payload, hosted on a separate platform, allowed the attackers to exfiltrate data to file-sharing services like Dropbox and file.io, with the investigators finding hardcoded credentials for these platforms within the payload, giving the attackers easy access to the stolen info.

“MUT-1244 was able to gain access to over 390,000 credentials, believed to be WordPress ones. We assess with high confidence that before these credentials were exfiltrated to Dropbox, they were in the hands of offensive actors, who likely acquired them through illicit means,” Datadog Security Labs researchers said.

“These actors were then compromised through the yawpp tool they used to check the validity of these credentials. Since MUT-1244 advertised yawpp as a “credentials checker” for WordPress, it’s no surprise that an attacker with a set of stolen credentials (which are often purchased from underground markets as a way to speed up threat actor operations) would use yawpp to validate them.”

The attackers successfully exploited trust within the cybersecurity community to compromise dozens of machines belonging to both white hat and black hat hackers after the targets unknowingly executed the threat actor’s malware, leading to data theft that included SSH keys, AWS access tokens, and command histories.

Datadog Security Labs estimates that hundreds of systems remain compromised, and others are still getting infected as part of this ongoing campaign.