marry 29.07.2024, 13:00 PM
Researchers from the company Check Point warn that cybercriminals are abusing GitHub to distribute malware. The criminal group “Stargazers Goblin” uses a network, called “Stargazers Ghost”, which has thousands of seemingly legitimate accounts used to spread malware.
These “Ghost” accounts impersonate legitimate users by performing activities common to GitHub accounts to appear genuine and lure victims into downloading “advertised” content.
Malware is usually distributed via links embedded in these repositories. Users who click on such links unknowingly download and install malware on their devices.
The number of accounts is known, but researchers say that there are more than 3,000 Ghost accounts, and maybe even more.
According to Check Point’s report, Stargazers Ghost uses identical tags and images, but changes the target audience from one social media application or cracked software to another, using the same template, indicating that it automates activities to ensure efficiency and scalability.
Check Point discovered over 2,200 repositories involved in “Ghost” activity during a January 2024 campaign that distributed Atlantis malware that steals user passwords and cryptocurrency wallets. In four days, more than 1,300 victims were infected.
Other malware that spreads this way are Rhadamanthys, RisePro, Lumma Stealer and RedLine.
Researchers believe links to the GitHub repositories were likely distributed through Discord channels, targeting followers on YouTube, TikTok, Twitch and Instagram, and contain phishing templates for cracked software and cryptocurrency-related activities.
Users of social networks, games and cryptocurrencies are the network’s key targets for ransomware infections, password theft and wallet compromises. Stargazers Ghost currently targets Windows users, but similar methods can be used for Linux or Android users as well.
The Stargazers Ghost network made more than $100,000 last year alone, and researchers believe the network has been active since August 2022 in some form. Researchers noticed an ad for her on the dark web at the beginning of July last year.
“It’s worrying to see a large platform like GitHub being exploited to distribute malware,” Check Point researchers said. “This precise targeting could affect a significant number of victims worldwide, leading to severe consequences. The fact that we also identified a similar campaign on YouTube indicates a shift in the approach of malware-as-a-service (DaaS) distribution, where attackers are using popular platforms to covertly spread infections.”
Be careful with unknown repositories and links. Research the developer and the project before downloading anything and avoid opening links unless you are absolutely sure.
Photo: Richy Great | Unsplash
Source: www.informacija.rs
