Threat intelligence firm Recorded Future on Tuesday raised an alarm for a malicious campaign abusing a legitimate GitHub profile to distribute information stealing malware.
As part of the campaign, Russian-speaking threat actors operating out of the Commonwealth of Independent States (CIS) have been distributing Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo malware by impersonating legitimate applications such as 1Password, Bartender 5, and Pixelmator Pro.
The malware operations shared the same command-and-control (C&C) infrastructure, suggesting that a centralized setup was used in cross-platform attacks, likely to increase efficiency, Recorded Future notes in a new report (PDF).
Early 2024 industry reporting showed that AMOS was being distributed through deceptive websites, impersonating legitimate macOS applications, including an installation file for Slack, and via fraudulent Web3 gaming projects.
Using these reports as a starting point, Recorded Future identified 12 websites advertising legitimate macOS software but redirecting victims to a GitHub profile distributing AMOS instead. The profile was also seen distributing the Octo Android banking trojan and various Windows infostealers.
The GitHub profile, belonging to a user named ‘papinyurii33’, was created on January 16, 2024 and contained only two repositories. Recorded Future said its researchers observed multiple changes made to the files in these repositories in February and early March, but no new activity since March 7.
The investigation also revealed the use of a FileZilla file transfer protocol FTP server for malware management and for distributing the Lumma and Vidar information stealers.
In addition, Recorded Future said it discovered several IP addresses associated with the campaign, including four IPs associated with the C&C infrastructure for the DarkComet RAT and a FileZilla FTP server used for distributing it. Between August 2023 and February 2024, Raccoon Stealer was also distributed using these FTP servers.
Corroborating the findings with reports from Cyfirma, CERT-UA, Cyble, and Malwarebytes, Recorded Future concluded that they refer to attacks orchestrated by the same threat actor as part of a large-scale campaign.
The cybersecurity firm advises organizations to use automated code scanning tools to perform code assessments for all code obtained from external repositories and to identify potential malware or suspicious patterns.
Related: 21 New Mac Malware Families Emerged in 2023
Related: Threat Actors Manipulate GitHub Search to Deliver Malware
Related: Ransomware Declines as InfoStealers and AI Threats Gain Ground
