Cyber Criminals Weaponize GitHub and FileZilla for Malware Attacks, here is a quick look

Intel

Cyber Criminals Weaponize GitHub and FileZilla for Malware Attacks, here is a quick look

In a sophisticated and multi-faceted campaign, cyber criminals are leveraging legitimate services like GitHub and FileZilla to deploy a range of stealer malware and banking trojans. These malicious actors, suspected to be Russian-speaking individuals from the Commonwealth of Independent States (CIS), have orchestrated attacks that target Android, macOS, and Windows systems. Let’s delve into the details of this alarming trend.

Data_Breach-1024x657-1 Cyber Criminals Weaponize GitHub and FileZilla for Malware Attacks, here is a quick look

The Multi-Faceted Campaign

Abuse of Legitimate Services

The campaign, tracked by cybersecurity firm Recorded Future under the moniker “GitCaught,” highlights the growing trend of misusing authentic internet services for cyber attacks. The adversaries employ multiple malware variants, aiming to maximize their success rate. Their attack chains involve the following steps:

  1. GitHub Impersonation:
    • The threat actors create fake profiles and repositories on GitHub.
    • These repositories host counterfeit versions of popular software, impersonating trusted applications like 1Password, Bartender 5, and Pixelmator Pro.
  2. Malicious Distribution:
    • The malicious files are distributed through various domains, often via malvertising and SEO poisoning campaigns.

FileZilla for Malware Management

The sophistication of this campaign is evident in the actors’ use of FileZilla servers for malware management and delivery. By employing FileZilla, they demonstrate a high level of organization and technical capability. Further analysis reveals that this campaign has been distributing various malware strains since at least August 2023. Notable malware variants include:

  • RedLine
  • Lumma (LummaC2)
  • Raccoon
  • Vidar
  • Rhadamanthys
  • DanaBot
  • DarkComet RAT

Rhadamanthys Infection Pathway

One particularly interesting infection pathway involves the Rhadamanthys malware. Victims who visit fake application websites are redirected to payloads hosted on Bitbucket and Dropbox. This suggests a broader abuse of legitimate services beyond GitHub and FileZilla.

macOS Backdoor: Activator

The macOS backdoor, codenamed “Activator,” remains a very active threat. It is distributed via disk image files posing as cracked versions of legitimate software. Once installed, Activator steals data from Exodus and Bitcoin-Qt wallet applications.

Detailed Analysis of the Attack

Infection Mechanisms

  1. The user is tricked into downloading a DMG file containing the cracked software.
  2. Upon installation, the Activator app:
    • Requests elevated privileges
    • Disables macOS Gatekeeper
    • Turns off the Notification Center
    • Installs Python if not already present on the system

Stay vigilant, as cyber threats continue to evolve. Awareness and proactive measures are crucial to maintaining a robust security posture


You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment