A new large-scale malware network has compromised thousands of GitHub accounts. Identified as the Stargazers Ghost Network and managed by an entity known as Stargazer Goblin, this operation uses both compromised WordPress sites and GitHub repositories to spread malware designed to steal information.
DaaS Model in Action
Utilizing a Distribution-as-a-Service (DaaS) structure, the Stargazers Ghost Network creates deceptive GitHub accounts to deploy various malware types. Check Point Research indicates this network has been active since August 2022, and began promoting its services on underground forums in June 2023. The malware types distributed include RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer.
The network’s activities are divided among several fake account groups, each with specific responsibilities: some handle phishing templates, others take care of phishing images, and a third group is tasked with releasing malware. This organizational strategy ensures the network can sustain its activities even if some accounts are deactivated; phishing repositories can be quickly updated with new links to maintain the distribution flow.
Financial Impact and Countermeasures
Check Point reports that the Stargazers Ghost Network has generated over $100,000. GitHub’s efforts to dismantle this network have led to the removal of more than 1,500 dubious repositories since May 2024, but over 200 remain active. Users are urged to be cautious, especially when handling password-protected archives from GitHub, as these can skirt antivirus scans.
Best practices include testing files in a virtual machine and using antivirus software or services like VirusTotal for thorough scans. The Stargazers Ghost Network also engages in actions designed to bolster the appearance of legitimacy, such as starring, forking, and subscribing to its malicious repositories. The network’s operations began to rise in August 2022, with dark web advertisements emerging on July 8, 2023.
Specific Attacks and Target Audience
An example from January 2024 shows the network distributing Atlantida Stealer, affecting over 1,300 victims in just four days through potentially Discord-shared links aimed at users interested in growing their social media or streaming platform followers.
Phishing templates used by the network often deliver victims to malicious GitHub repository release sections via download links. The use of password-protected archives aids in bypassing typical scanning methods. When a malware-serving account is shut down, another phishing repository swiftly supplants it with a fresh link to an active malicious release.
Network Structure and Durability
Three distinct types of false accounts define the network’s structure: phishing repository templates, phishing images, and malware provision in password-protected formats. This setup allows rapid replacement of compromised elements, maintaining the network’s functionality with minimal interruptions.
In-depth examination of specific campaigns shows the network using compromised WordPress sites to host malicious scripts. These scripts culminate in the delivery of the Atlantida Stealer via .HTA files containing VB script code that executes code from another WordPress site.
Last Updated on November 7, 2024 3:30 pm CET