A threat actor has created a network of over 3,000 GitHub accounts to distribute malware and malicious links, and to perform other nefarious activities, Check Point reports.
Tracked as Stargazer Goblin, the threat actor has been building the network since August 2022, using it in a distribution-as-a-service (DaaS) operation in which victims are lured to phishing repositories.
The accounts, which Check Point collectively calls the Stargazers Ghost Network, have been observed distributing information-stealing malware such as Atlantida Stealer, Lumma Stealer, Rhadamanthys, RisePro, and RedLine.
Stargazer Goblin began advertising the DaaS on underground forums in July 2023 and is estimated to have earned over $100,000 since the Ghost Network’s inception. From mid-May to mid-June 2024, the threat actor made approximately $8,000 from the malicious activity.
Multiple GitHub accounts are used to star and verify the malicious links distributed through the Stargazers Ghost Network, to make them appear legitimate, and automation is used to create phishing templates targeting different social platforms.
The repositories typically contain download links to external websites, but many repositories were seen hosting password-protected archives that hide the malicious activity from GitHub’s scanners.
Check Point identified repositories containing phishing download links that redirect to three GitHub Ghost accounts: one serving the phishing template, another providing the image for the template, and a third that serves the malware as a password-protected archive.
Stargazer Goblin was seen immediately addressing broken links created when accounts or repositories – typically the third account, which serves the malware – are suspended, by updating the first account’s phishing repository with a new link.
“By distributing responsibilities across multiple accounts, the network ensures flexibility in replacing its compromised components. This minimizes disruption to their operations, allowing them to swiftly adapt and continue their malicious activities on GitHub,” Check Point notes.
Ghost accounts have different roles
The cybersecurity firm also discovered that the accounts within the network interact with multiple other Ghost repositories, including by staring them, by liking GitHub releases that malicious links redirect to, or by making commits to malicious phishing README.md files.
By assigning different roles to the accounts – namely repository-phishing, commit-link, Stargazer, and other accounts – the threat actor ensures that not all are banned or suspended and that the network continues to operate. Some of the accounts were likely compromised and not created by Stargazer Goblin.
The threat actor’s campaigns typically involve a repository account that owns the phishing repository hosting the download link, a commit account that makes commits to the repository, a release account that creates and updates the malicious archive in the repository’s release section, and multiple Stargazer accounts that fork, star, and like the repository and releases.
“Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected,” Check Point explains.
“The Commit account maintains a one-to-one relationship with all repositories under the Repository account. This means the same Commit account can make multiple commits to repositories that belong to the same Repository account,” the company adds.
In two different campaigns, the network was leveraged to infect over 1,300 victims with Atlantida Stealer in less than four days, and over 1,000 individuals with Rhadamanthys in two weeks.
“Since the beginning of June 2024, we observed 211 unique still active repositories pushing malicious links, compared to 135 active from May. Since May 2024, GitHub has taken down approximately 1559 repositories and their related GitHub accounts,” Check Point notes.
The cybersecurity firm believes that the GitHub Ghost accounts are part of a larger network that also includes Ghost accounts on other platforms – including Twitter, YouTube, Discord, Instagram, Facebook, and many others – that are used as part of the DaaS operation.
“We are entering a new era of malware distribution, where ghost accounts organically promote and distribute malicious links across various platforms. Future ghost accounts powered by artificial intelligence could launch even more targeted campaigns, making it increasingly difficult to distinguish between legitimate content and malicious material,” Check Point notes.
Related: Threat Actors Abuse GitHub to Distribute Multiple Information Stealers
Related: Threat Actor Uses Multiple Infostealers in Global Campaign
Related: Over 100 Organizations Targeted in Recent ‘StrelaStealer’ Attacks
Related: GitHub Suspends Repository Containing Leaked Twitter Source Code
