Threat Advisory

Threat Actor Leverages GitHub Repository for Malicious Infrastructure

Threat: Malicious Campaign
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High

 

EXECUTIVE SUMMARY:

Researchers have uncovered multi-layered campaign attributed to Russian-speaking threat actors, likely based in the Commonwealth of Independent States. These actors are exploiting a legitimate GitHub profile to impersonate well-known software like 1Password, Bartender 5, and Pixelmator Pro, among others. The campaign involves distributing various malware families, including Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo, with the primary goal of stealing personal information from unsuspecting users. The coordinated use of shared command-and-control (C2) systems among different malware variants underscores the complexity and centralization of this cyberattack strategy.

The threat actors are distributing GitHub, a widely trusted platform for software development, to propagate malware disguised as legitimate macOS applications. Twelve domains impersonating genuine software redirect users to a GitHub profile named "papinyurii33," where malicious files are hosted. Analysis of these files revealed various malware, including AMOS, which targets both Intel and ARM-based Macs. The GitHub repository also contained droppers for Windows-based Lumma and Vidar stealers and the Octo Android banking trojan. The campaign utilizes multiple C2 endpoints for data exfiltration and employs free web-based infrastructure like FileZilla servers for malware delivery. Notably, the presence of Russian-language artifacts in the code suggests a potential geographical and linguistic link to the threat actors.

In conclusion, this discovery underscores the complexity and persistence of modern cyber threats, highlighting the need for robust and adaptive cybersecurity measures. Organizations must enforce stringent code review processes for all code obtained from external repositories, implement comprehensive application control strategies, and engage in active threat intelligence sharing. By doing so, they can better defend against multi-faceted campaigns and mitigate the risks posed by evolving malware variants.

 

THREAT PROFILE:

Tactic Technique Id Technique
Resource Development T1587 Develop Capabilities
Execution T1059 Command and Scripting Interpreter
T1053 Scheduled Task/Job
Defense Evasion T1112 Modify Registry
T1222 File and Directory Permissions Modification
T1564 Hide Artifacts
 T1202 Indirect Command Execution
Credential Access T1552 Unsecured Credentials
Discovery T1082 System Information Discovery
T1120 Peripheral Device Discovery
T1012 Query Registry
T1057 Process Discovery
Collection  T1005 Data from Local System
Command and Control  T1132 Data Encoding
Exfiltration T1041 Exfiltration Over C2 Channel

 

REFERENCES:

The following reports contain further technical details:
https://www.securityweek.com/threat-actors-abuse-github-to-distribute-multiple-information-stealers/

crossmenu