Criminals have created thousands of accounts on GitHub to form a malware distribution-as-a-service operation and push infostealers to developer devices, experts have warned.
The project was recently discovered by cybersecurity researchers Check Point, who said all the accounts have distinct roles, making the entire project quite resilient to takedowns.
The researchers call the project Stargazers Ghost Network, apparently built by a threat actor with the alias Stargazer Goblin.
Successful project
This hacker registered 3,000 GitHub accounts and used them to push “hundreds” of malicious repositories. The accounts are split into three groups - one that serves the phishing template, another one that provides the phishing image, and another one that serves the malware. That way, the entire network is more resilient to GitHub takedowns. Furthermore, all the accounts are used to star, fork, and subscribe to malicious repositories, boosting their legitimacy in the eyes of the average Joe.
"The third account, which serves the malware, is more likely to be detected. When this happens, GitHub bans the entire account, repository, and associated releases," Check Point said in its report. "In response to such actions, Stargazer Goblin updates the first account's phishing repository with a new link to a new active malicious release. This allows the network to continue operating with minimum losses when a malware-serving account is banned."
Since GitHub is a major, trusted platform, many people don’t expect to be served malware that way. As a result, the campaign has been very successful so far, the researchers concluded.
"The campaigns performed by the Stargazers Ghost Network and malware distributed via this service are extremely successful," the report reads. "In a short period of time, thousands of victims installed software from what appears to be a legitimate repository without suspecting any malicious intent. The heavily victim-oriented phishing templates allow threat actors to infect victims with specific profiles and online accounts, making the infections even more valuable."
The Stargazers Ghost Network is mostly used to deliver infostealers such as RedLine, Lumma, Rhadamanthys, RisePro, and Atlantida.
Via BleepingComputer
More from TechRadar Pro
- A dangerous Telegram zero-day could have left users open to attack via video
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now