Crooks used over 3,000 GitHub accounts

Ben Collver bencollver at riseup.net
Fri Jul 26 02:33:11 UTC 2024 

Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank
======================================================================
Matthew Connatser
Fri 26 Jul 2024

Infosec researchers have discovered a network of over three thousand
malicious GitHub accounts used to spread malware, targeting groups
including gamers, malware researchers, and even other threat actors who
themselves seek to spread malware.

The research, penned by Antonis Terefos of Check Point Software, named
the collection of GitHub accounts "Stargazer Ghost Network" and asserted
it's operated by a threat actor the cyber security firm labelled
"Stargazer Goblin."

Whatever it's called, the motley crew behind this effort has adopted two
novel tactics.

One is phishing without email. Terefos opined that email is viewed with
suspicion, so Stargazer Goblin posts nasty links on services such as
Discord. Targets are folks who "wanted to increase their 'followers
audience' in Twitch, Instagram, YouTube, Twitter, Trovo, and TikTok or
use other tool-related features for Kick Chat, Telegram, Email, and
Discord."

If those targets click on a link, they encounter Stargazer Goblin's
second evil innovation: a network of deceptively harmless GitHub
accounts. In reality the accounts perform discrete functions that help
spread malware, but aren't so obviously evil that the coding
collaboration service shuts them down.

Some of them are even starred or verified by other GitHub accounts,
giving them an air of legitimacy.

But they contain danger. The researcher observed some of repositories
contained a README.md file containing "a phishing download link that
does not even redirect to the repository's own releases. Instead, it
uses three GitHub Ghost accounts with different 'responsibilities'."

* The first account serves the "phishing" repository template;
* The second account provides the "image" used for the phishing
  template;
* The third account serves malware as a password-protected archive in
  a Release.

And when victims access that archive ... you know what comes next.

* GitHub struggles to keep up with automated malicious forks
* Over 170K users caught up in poisoned Python package ruse
* Luca Stealer malware spreads rapidly after code handily appears on
  GitHub
* Cryptojackers steal AWS credentials from GitHub in 5 minutes

The multi-account structure means Stargazer Goblin can "quickly 'fix'
any broken links that may occur due to accounts or repositories being
banned for malicious activities," Terefos wrote. It also means the
network can quickly replace compromised components, probably using
automation meaning takedowns of dangerous accounts don't disrupt
malware-distribution operations.

Generative AI might have also been used to create legitimate-looking
repositories and accounts – and perhaps to even create custom responses
to real users.

It works, dammit
----------------
One such campaign was highly successful. Over a four-day period in
January 2024, Check Point observed the Stargazer Ghost Network
distribute Atlantida stealer – a novel malware family that steals user
credentials and cryptocurrency wallets along with other personal
identifiable information – and secure over 1,300 infections.

Around the same time, another campaign was launched to spread
Rhadamanthys across repositories that were ostensibly for cracked
software and crypto trading tools. Over a thousand users downloaded the
malware in two weeks, the researchers claim, based on a statistics page
they found on the host website for the malware.

Terefos thinks some of the group's campaigns may even have targeted
infosec researchers, or rival malware gangs, as the phishing link led to
a cracked version of the known infostealer RisePro that had been
modified to spread malware.

Whatever the target, the effort has proven lucrative: Terefos thinks
this malware business has made about $100,000 over the last year.

But that's just for GitHub – the researchers suspect the group might be
operating on other websites as well. This is potentially indicated by a
GitHub repository that linked to a YouTube tutorial on how to install a
program that's actually malware. The study also suggests that the
Atlantida campaign targeted users interested in social media in order to
acquire accounts on other platforms, which can be used to spread malware
just like GitHub.

From: <https://www.theregister.com/2024/07/26/
github_stargazers_goblin_malware/>

More information about the Give-Up-GitHub mailing list