Security experts at G-Data have unveiled a complex malware distribution campaign aimed at GitHub users, involving at least 13 repositories hosting cracked software designed to deploy the RisePro info-stealer. Dubbed “gitgub” by its orchestrators, this campaign leverages the allure of free software to compromise user systems.
In-Depth Analysis of the “gitgub” Campaign
The investigation into this campaign was sparked by an Ars Technica story about malicious GitHub repositories. G-Data researchers developed a threat-hunting tool that led to the identification of the repositories involved. These repositories, which have since been taken down by GitHub, shared a common pattern: they featured a README.md file promising free cracked software, adorned with green Unicode circles to mimic the appearance of legitimate automatic build status indicators. The repositories directed users to a single download link, which required unpacking multiple layers of archives with a provided password to access the malicious installer.
Technical Breakdown and Impact of RisePro Malware
The final payload, a binary file significantly inflated in size to evade detection tools, serves as a loader for the RisePro info-stealer, version 1.6. Upon execution, this malware connects to a remote server and injects its payload into common system processes, effectively hiding its presence. RisePro, written in C++, is known for its capability to harvest a wide array of sensitive information from infected systems, including passwords and other valuable data, which it then exfiltrates to designated Telegram channels.
The “gitgub” campaign represents a sophisticated effort to exploit the trust and tools commonly used by developers and casual users alike. By masquerading as legitimate software, the attackers behind this campaign demonstrate a high level of cunning and technical proficiency, underscoring the ongoing risks associated with downloading and using cracked software from unverified sources.
Security professionals and GitHub users are advised to remain vigilant, verify the authenticity of repositories and software, and employ comprehensive security solutions to protect against such threats. The report by G-Data not only sheds light on the technical aspects of the “gitgub” campaign but also serves as a reminder of the persistent and evolving nature of cyber threats in the digital landscape.
