Cybercrime , Fraud Management & Cybercrime
GitHub Network Fuels Malware Distribution Operation
Threat Actors Profit From GitHub's Inauthentic Accounts NetworkHackers apparently stymied by improved network detection of malware are turning to fake GitHub repositories to host malicious links and archives embedded with viruses.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Security researchers at Check Point said they've identified a network of more than 3,000 accounts used to distribute malware through multiple repositories that belong to a threat actor the firm christened "Stargazer Goblin." The hacking group earned about $100,000 over its lifespan, Check Point estimated.
Researchers said that Stargazer Goblin delivers a swath of malware, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer and RedLine. The network came into existence in August 2022. It began as a smaller-scale project and gradually expanded to its current size.
The threat actor is a step beyond hackers who merely use GitHub repositories to host malicious code. Stargazer Goblin uses its vast network to give accounts a veneer of peer approval, awarding repositories virtual stars and adding themselves as watchers are creating supposed forks. When relying on an URL for downloading malware onto victim machines, the threat actor points to another malicious repository or a legitimate-seeming external website such as Discord.
"Traditional methods of malware distribution via emails containing malicious attachments are heavily monitored, and the general public has become more aware of these tactics," Check Point said, explaining the mounting interest in GitHub as a malware distributor. Not all hackers have given up on email, of course (see: Email Gateway Security Gaps Enable New Malware Tactics).
Besides using its network to self-referentially build confidence in malicious repositories, Stargazer Goblin uses repositories to keep its malware delivery system resilient in the face of takedowns, Check Point said.
By using one repository to host a download link that points to another repository - and additional repositories to host other pieces of the operation such as phishing templates - the threat actor can "quickly 'fix' any broken links that may occur due to accounts or repositories being banned for malicious activities."
Check Point Research also highlighted the network's maintenance and recovery processes. When accounts or repositories are banned, Stargazer Goblin swiftly updates links and creates new accounts, ensuring continued operations.