Check Point Unveils Network of Fake Github Accounts Spreading Malware
The most prolific cybercriminal, known as Stargazer Goblin, utilizes the platform to host malicious repositories. The highlight of the campaign is the ability to make harmful repositories appear legitimate by employing tactics such as adding ‘sprockets’ (similar to likes), ‘Forkov’ (similar to retweets), and subscriptions. The trading of repositories and “stars” is coordinated through Telegram channels and darknet forums.
The Stargazers Ghost Network disseminates malicious repositories offering tools for social networks, games, and cryptocurrencies. These repositories claim to provide VPN access or Adobe Photoshop licenses, primarily targeting Windows users. The attackers aim to exploit individuals seeking free software.
The network operator offers its services to other hackers through a Distribution-AS-A-Service (DAAS) model. The network distributes various types of malware, including encryption and info-stealers like Atlantida Stealer, Rhadamanthys, and Lumma Stealer.
It is suggested by Check Point that the network may be more vast than anticipated, as legitimate GITHUB accounts have also participated in the campaign, likely compromised through stolen credentials. The total earnings of the cybercriminal are estimated to be around $100,000.
Experts believe that the network’s activities, such as generating “stars” and views on pages, are likely automated. The rapid creation of repositories using a standard template makes it challenging to detect this automated behavior, as account actions mimic those of genuine GitHub users.
Stargazer Goblin has orchestrated a sophisticated operation to disseminate malicious software while evading detection due to the high level of trust placed in Github. This strategy enables the network to circumvent suspicion and quickly resume its activities following disruptions by Github. By utilizing multiple accounts and profiles for different tasks, such as installing stars, hosting repositories, and deploying phishing campaigns, the Stargazers Ghost Network minimizes losses when one part of the operation is compromised.
* META and its products are deemed extremist, and their activities are prohibited within the Russian Federation.