Thousands of GitHub accounts are being used to spread malware

News
By
published

Vast network of malicious GitHub accounts is being used to drop infostealers

Image depicting a hand on a scanner
Image Credit: Pixabay (Image credit: Pixabay)

Criminals have created thousands of accounts on GitHub to form a malware distribution-as-a-service operation and push infostealers to developer devices, experts have warned. 

The project was recently discovered by cybersecurity researchers Check Point, who said all the accounts have distinct roles, making the entire project quite resilient to takedowns.

The researchers call the project Stargazers Ghost Network, apparently built by a threat actor with the alias Stargazer Goblin. 

Successful project

This hacker registered 3,000 GitHub accounts and used them to push “hundreds” of malicious repositories. The accounts are split into three groups - one that serves the phishing template, another one that provides the phishing image, and another one that serves the malware. That way, the entire network is more resilient to GitHub takedowns. Furthermore, all the accounts are used to star, fork, and subscribe to malicious repositories, boosting their legitimacy in the eyes of the average Joe.

"The third account, which serves the malware, is more likely to be detected. When this happens, GitHub bans the entire account, repository, and associated releases," Check Point said in its report. "In response to such actions, Stargazer Goblin updates the first account's phishing repository with a new link to a new active malicious release. This allows the network to continue operating with minimum losses when a malware-serving account is banned."

Since GitHub is a major, trusted platform, many people don’t expect to be served malware that way. As a result, the campaign has been very successful so far, the researchers concluded. 

"The campaigns performed by the Stargazers Ghost Network and malware distributed via this service are extremely successful," the report reads. "In a short period of time, thousands of victims installed software from what appears to be a legitimate repository without suspecting any malicious intent. The heavily victim-oriented phishing templates allow threat actors to infect victims with specific profiles and online accounts, making the infections even more valuable."

The Stargazers Ghost Network is mostly used to deliver infostealers such as RedLine, Lumma, Rhadamanthys, RisePro, and Atlantida.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.