Researchers at Recorded Future’s Insikt Group have discovered an extensive and multi-faceted campaign that exploits trusted internet services, such as GitHub and FileZilla, to carry out cyberattacks that steal personal information.
This campaign, attributed to Russian-speaking threat actors likely located in the Commonwealth of Independent States (CIS), abuses a legitimate GitHub profile to impersonate legitimate software, such as 1Password, Bartender 5, and Pixelmator Pro, to distribute various malware types, such as Atomic macOS Stealer (AMOS), Vidar, Lumma (aka LummaC2), and Octo.
“Some malware families observed in this campaign, like Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo, use shared command-and-control (C2) systems, showing a complex, coordinated cyberattack strategy,” wrote Recorded Future’s Insikt Group in its report.
“The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks.”
The activity, which is being tracked under the nickname ‘GitCaught’ not only highlights the abuse of legitimate internet services (LIS), but also the dependence on multiple variants in cross-platform attacks to boost the campaign’s success rate.
The threat actors skilfully crafted fake profiles and repositories on GitHub, a widely utilized platform for collaborative software development, presenting counterfeit versions of well-known software that are designed to infiltrate users’ systems and steal sensitive information, such as passwords, financial data, and personal identification details.
Besides GitHub, the Russian-speaking threat actors also have been observed using free and web-based infrastructure, like FileZilla servers, as a mechanism for malware delivery, abusing legitimate channels to disseminate various malicious payloads to victims’ devices.
During an investigation of the AMOS stealer, Insikt Group identified twelve domains that impersonated legitimate macOS apps, like CleanShot X, 1Password, and Bartender.
All twelve identified domains redirected users to a GitHub profile belonging to a user named “papinyurii33” to download macOS installation media leading to the AMOS infostealer infection. The current AMOS version is capable of infecting both Intel-based and ARM-based Macs.
The malicious profile associated with “papinyurii33” on GitHub was created on January 16, 2024, and its last observed contribution was on March 7, 2024. It contained only two repositories, or “repos”, named “2132” and “22”.
Upon initial discovery of the GitHub account, the researchers observed that besides AMOS, the profile was hosting other files under the “2132” repository, including a dropper for the Windows-based Lumma and Vidar stealers, as well as an Octo Android banking trojan.
However, no malware was submitted to the “22” repo since early February 2024.
Additionally, researchers observed how the threat actor executed various DocCloud files to deploy a range of infostealers on victim devices. DocCloud.exe accessed a FileZilla file transfer protocol (FTP) server at IP address 193.149.189[.]199 using hardcoded credentials (username:ins; password:installer).
After a connection was established, a child process of DocCloud.exe accessed and RC4 decrypted a .ENC file, a standard file format for storing encrypted data, and combined the decrypted data with shellcode stored within a Python script. The resulting payload was then run as an argument to pythonw.exe.
Using Recorded Future’s Network Intelligence, Insikt also identified four additional IP addresses, all likely related to the threat actor’s network infrastructure. These new IP addresses revealed C2 infrastructure for DARKCOMET RAT and an additional FileZilla FTP server responsible for deploying DARKCOMET RAT.
This process was also used in carrying out multiple executions, resulting in Lumma and Vidar infostealers being dropped.
In order to reduce the risk of infostealer malware spreading through fraudulent GitHub repositories, Insikt Group recommends several mitigation strategies to organizations to better protect their systems and data, some of which are:
- Implementation of strict access controls and permissions to limit who can download code from external repositories.
- Continuous monitoring of GitHub repositories for signs of fraudulent or malicious activity.
- Enforce an organization-wide code review process for all code obtained from external repositories before integrating it into production environments.
- Verify the authenticity of the download sources and maintain updated antivirus and anti-malware solutions.
- Educate employees, developers, and users about the risks associated with downloading code from untrusted sources, including GitHub repositories.
- Employ automated code scanning tools, such as GitGuardian, Checkmarx, or GitHub Advanced Security, to detect potential malware or suspicious patterns in the code.
You can check out the full report by Recorded Future’s Insikt Group for a detailed understanding of this campaign and detailed technical insights.
