Malicious 'ghost' DaaS network spreading malware through GitHub
Social engineering and GitHub reputation key to effectiveness
Threat actors known as 'Stargazer Goblin' have created a malware Distribution-as-a-Service (DaaS) from over 3,000 fake GitHub accounts
According to a report from Check Point Research, the malware delivery service is called Stargazers Ghost Network. It utilises GitHub repositories along with compromised WordPress sites and some neat social engineering to push out malware hidden in password-protected archives.
It is thought to be the first time that a scheme of this nature has been documented running on GitHub, and it is utilising GitHub's reputation as a trusted tool.
"The campaigns performed by the Stargazers Ghost Network and malware distributed via this service are extremely successful," explains the report.
"In a short period of time, thousands of victims installed software from what appears to be a legitimate repository without suspecting any malicious intent. The heavily victim-oriented phishing templates allow threat actors to infect victims with specific profiles and online accounts, making the infections even more valuable."
The creator of the DaaS operation, Stargazer Goblin, created hundreds of GitHub repositories using three thousand ‘ghost' accounts.
According to Antonis Terefos, a researcher at Check Point Research, these accounts star, fork, and subscribe to malicious repositories, which target popular interests like cryptocurrency and gaming. This gives the malicious repositories the appearance of legitimacy and increases the likelihood of them trending.
The malware being distributed includes Redline, Lumma Stealer, Rhadamanthys, RisePro and Atlantida Stealer.
GitHub has taken down more than 1,500 of the malicious repositories but is being hampered in its efforts by the resilience that the network has built into it's operations.
The ghost accounts all have distinct roles. One group serves the phishing template, another provides the phishing image, and a third serves the malware.
Should that final account be detected, banned and all the associated releases removed, the group updates the first account's phishing repository with a new link to a new active malicious release.
Check Point estimates that this resilience has led to earnings in excess of $100,000 since the service's launch, and also says in the report that that the malicious network is unlikely to be limited to GitHub.
"We believe that Stargazer Goblin created a universe of Ghost Network accounts operating across various platforms such as GitHub, Twitter, YouTube, Discord, Instagram, Facebook and many others," it says.
"Similar to GitHub, other platforms can be utilised to legitimise malicious phishing and distribute links and malware to victims through posts, repositories, videos, tweets and channels, depending on the features each platform offers."