Threat Actors Abuse GitHub to Distribute Multiple Information Stealers

Share This Post

Threat intelligence firm Recorded Future on Tuesday raised an alarm for a malicious campaign abusing a legitimate GitHub profile to distribute information stealing malware.

As part of the campaign, Russian-speaking threat actors operating out of the Commonwealth of Independent States (CIS) have been distributing Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo malware by impersonating legitimate applications such as 1Password, Bartender 5, and Pixelmator Pro.

The malware operations shared the same command-and-control (C&C) infrastructure, suggesting that a centralized setup was used in cross-platform attacks, likely to increase efficiency, Recorded Future notes in a new report (PDF).

Early 2024 industry reporting showed that AMOS was being distributed through deceptive websites, impersonating legitimate macOS applications, including an installation file for Slack, and via fraudulent Web3 gaming projects.

Using these reports as a starting point, Recorded Future identified 12 websites advertising legitimate macOS software but redirecting victims to a GitHub profile distributing AMOS instead. The profile was also seen distributing the Octo Android banking trojan and various Windows infostealers.

The GitHub profile, belonging to a user named ‘papinyurii33’, was created on January 16, 2024 and contained only two repositories. Recorded Future said its researchers observed multiple changes made to the files in these repositories in February and early March, but no new activity since March 7.

The investigation also revealed the use of a FileZilla file transfer protocol FTP server for malware management and for distributing the Lumma and Vidar information stealers.

In addition, Recorded Future said it discovered several IP addresses associated with the campaign, including four IPs associated with the C&C infrastructure for the DarkComet RAT and a FileZilla FTP server used for distributing it. Between August 2023 and February 2024, Raccoon Stealer was also distributed using these FTP servers.

Advertisement. Scroll to continue reading.

Corroborating the findings with reports from Cyfirma, CERT-UA, Cyble, and Malwarebytes, Recorded Future concluded that they refer to attacks orchestrated by the same threat actor as part of a large-scale campaign.

The cybersecurity firm advises organizations to use automated code scanning tools to perform code assessments for all code obtained from external repositories and to identify potential malware or suspicious patterns.

Related: 21 New Mac Malware Families Emerged in 2023

Related: Threat Actors Manipulate GitHub Search to Deliver Malware

Related: Ransomware Declines as InfoStealers and AI Threats Gain Ground

This post was originally published on this site

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.


BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.