GitHub is being leveraged as a distribution channel for Lumma Stealer malware via deceptive comments across various projects. More than 29,000 comments linked to malware were identified over a three-day period, with users being misled into downloading seemingly legitimate updates.
Malware Distribution Techniques
The comments direct users to download a password-protected archive from mediafire.com or through bit.ly links, where the password is “changeme”. The archive, named ‘fix.zip’, contains DLL files and an executable called x86_64-w64-ranlib.exe.
When run, this executable installs Lumma Stealer, designed to exfiltrate cookies, credentials, passwords, credit card details, and browsing history from browsers including Chrome, Edge, and Firefox. It may also target cryptocurrency wallets, private keys, and text files containing sensitive information.
GitHub’s Countermeasures and User Impact
GitHub’s staff is actively removing these malicious comments when found, but some users have already fallen victim. Users affected are recommended to change their passwords, ensuring each one is unique, and to transfer any cryptocurrency to new wallets. The issue gained attention when a contributor to the teloxide Rust library posted about it on Reddit. Further investigation by BleepingComputer demonstrated the attack’s wide reach, affecting multiple GitHub projects.
This is not an isolated event. Last month, Check Point Research reported a similar campaign by Stargazer Goblin threat actors, who used over 3,000 fake GitHub accounts for distributing malware. It is unclear whether the recent incidents are related or represent a new campaign by different attackers. The attacks emphasize the ongoing difficulties in protecting open-source platforms from sophisticated malware distribution methods.
Exploitation of Trust in Development Platforms
Cybercriminals are misusing GitHub’s commenting feature to distribute malware masked as legitimate code fixes. By posting on popular repositories, they include malicious links or code snippets that appear to be genuine. When developers or users click on these links or use the code, they inadvertently install malware on their systems.
Experts recommend that developers exercise caution when adding code from comments or external sources. Verifying the authenticity and safety of the code before integration is essential. Keeping security software updated and practicing good cybersecurity hygiene can help reduce the risk posed by such attacks.
Last Updated on November 7, 2024 3:00 pm CET