A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro. Multiple malware variants suggest a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup, possibly increasing the efficiency of the attacks.
Investigators are tracking the activity under the name GitCaught. They said the campaign highlights the misuse of authentic internet services to orchestrate cyberattacks and the reliance on multiple malware variants targeting Android, macOS, and Windows to increase the success rate. Attack chains entail using fake profiles and repositories on GitHub and hosting counterfeit versions of well-known software with the goal of sensitive data from compromised devices. The links to these malicious files are then embedded within several domains that are typically distributed via malvertising and SEO poisoning campaigns.
See: https://redskyalliance.org/xindustry/malvertising-now-available-on-your-computer
The adversary behind the operation, suspected to be Russian-speaking threat actors from the Commonwealth of Independent States (CIS), has also been observed using FileZilla servers for malware management and delivery. Additional analysis of the disk image files on GitHub and the associated infrastructure has determined that the attacks are tied to a larger campaign designed to deliver RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since at least August 2023.
See: https://redskyalliance.org/xindustry/lumma-stealer
The Rhadamanthys infection pathway is also notable for the fact that victims who land on the fake application websites are redirected to payloads hosted on Bitbucket and Dropbox, suggesting a broader abuse of legitimate services.
The development comes as the Microsoft Threat Intelligence team said that the macOS backdoor codenamed Activator remains a "very active threat" that's distributed via disk image files impersonating cracked versions of legitimate software and in order to steal data from Exodus and Bitcoin-Qt wallet applications. “It prompts the user to let it run with elevated privileges, turns off the macOS Gatekeeper, and disables the Notification Center," reported a Microsoft researcher. "It then downloads and launches multiple stages of malicious Python scripts from multiple command-and-control (C2) domains and adds these malicious scripts to the LaunchAgents folder for persistence."
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our services can help detect cyber threats and vulnerabilities. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments