According to a report by Instrumental Group, a cyber criminal group known as CyberPsticks has been leveraging GitHub and Filezilla for the distribution of infostealers and trojans disguised as popular MacOS programs like 1PASSWORD, BARTENDER 5, and PIXELMATOR PRO. This campaign has been dubbed Gitcaught.
Experts have observed that the wide variety of malware being distributed suggests a cross-platform targeting strategy encompassing Android, MacOS, and Windows. The utilization of a centralized command infrastructure for C2 (command and control) enhances the effectiveness of the attacks.
The modus operandi of the attackers involves setting up fake accounts and repositories on GitHub, where counterfeit versions of legitimate software are uploaded with the intention of harvesting sensitive information from compromised devices. These malicious files are then propagated through various domains using malicious advertising and search engine optimization tactics.
The CyberPsticks group employs Filezilla servers to facilitate the management and dissemination of their malicious payloads. Further examination of disk images on GitHub and associated infrastructure has revealed that these attacks are part of a broader campaign targeting the distribution of other malware such as Redline, Lumma, Raccoon, Vidar, Rhadamanthys, Danabot, and Darkcomet Rat, going back to at least August 2023.
Of particular concern is the RHADAMANTHYS infection chain, where unsuspecting victims lured to fake download sites are redirected to platforms like Bitbucket and Dropbox to download malicious files, indicating a troublesome trend of misusing legitimate services for nefarious purposes.