EXECUTIVE SUMMARY:
Researchers have uncovered multi-layered campaign attributed to Russian-speaking threat actors, likely based in the Commonwealth of Independent States. These actors are exploiting a legitimate GitHub profile to impersonate well-known software like 1Password, Bartender 5, and Pixelmator Pro, among others. The campaign involves distributing various malware families, including Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo, with the primary goal of stealing personal information from unsuspecting users. The coordinated use of shared command-and-control (C2) systems among different malware variants underscores the complexity and centralization of this cyberattack strategy.
The threat actors are distributing GitHub, a widely trusted platform for software development, to propagate malware disguised as legitimate macOS applications. Twelve domains impersonating genuine software redirect users to a GitHub profile named "papinyurii33," where malicious files are hosted. Analysis of these files revealed various malware, including AMOS, which targets both Intel and ARM-based Macs. The GitHub repository also contained droppers for Windows-based Lumma and Vidar stealers and the Octo Android banking trojan. The campaign utilizes multiple C2 endpoints for data exfiltration and employs free web-based infrastructure like FileZilla servers for malware delivery. Notably, the presence of Russian-language artifacts in the code suggests a potential geographical and linguistic link to the threat actors.
In conclusion, this discovery underscores the complexity and persistence of modern cyber threats, highlighting the need for robust and adaptive cybersecurity measures. Organizations must enforce stringent code review processes for all code obtained from external repositories, implement comprehensive application control strategies, and engage in active threat intelligence sharing. By doing so, they can better defend against multi-faceted campaigns and mitigate the risks posed by evolving malware variants.
THREAT PROFILE:
Tactic | Technique Id | Technique |
Resource Development | T1587 | Develop Capabilities |
Execution | T1059 | Command and Scripting Interpreter |
T1053 | Scheduled Task/Job | |
Defense Evasion | T1112 | Modify Registry |
T1222 | File and Directory Permissions Modification | |
T1564 | Hide Artifacts | |
T1202 | Indirect Command Execution | |
Credential Access | T1552 | Unsecured Credentials |
Discovery | T1082 | System Information Discovery |
T1120 | Peripheral Device Discovery | |
T1012 | Query Registry | |
T1057 | Process Discovery | |
Collection | T1005 | Data from Local System |
Command and Control | T1132 | Data Encoding |
Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
https://www.securityweek.com/threat-actors-abuse-github-to-distribute-multiple-information-stealers/