GitHub’s extensive community and features make it a continued target for threat actors. This week, security researchers identified a network of 3000 fake GitHub accounts pushing infostealing malware through the platform’s repositories as well as compromised WordPress sites. The malware Distribution-as-a-Service (DaaS), dubbed ‘Stargazers Ghost Network’, delivers variants of RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer, all packaged in password-protected archives.
Attributed to a threat actor known as ‘Stargazer Goblin’, the exposed DaaS operation marks the first instance of such a sophisticated and wide-reaching scheme found running on GitHub. Threat actors exploit the platform’s well-trusted reputation and bank on users to be less suspicious of links and downloads.
The DaaS works by creating hundreds of repositories with 300 ‘ghost’ accounts that star, fork, and subscribe to these repositories, boosting their visibility and perceived legitimacy on GitHub. Each fake account has a specific role: one serves phishing templates, the second provides phishing images, and the third distributes the malware. When a malware-serving account is banned, Stargazer Goblin updates phishing repositories with new links to maintain the resilience of the operation.
Phishing template used across TikTok, YouTube, Twitch, and Instagram (Source: Check Point Research)
Researchers estimate that the operation has clawed in over $100,000 in funds since its launch and note how Stargazer Goblin has been ramping up promotion of their services across the darkweb since June 2023. The actor has also been observed diversifying how they funnel traffic such as malvertising, Telegram, social media and even YouTube tutorials directing viewers to repositories managed by Stargazers Ghost Network.
Despite GitHub’s efforts to remove over 1,500 malicious repositories since May, researchers note that more than 200 remain active. GitHub users are once again advised to be cautious as malware distribution methods, especially those powered by AI, continue to develop and launch complex and targeted campaigns.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments