A secretive network of around 3,000 “ghost” accounts on GitHub has quietly been manipulating pages on the code-hosting website to promote malware and phishing links, according to new research seen by WIRED.
Since at least June last year, according to researchers at cybersecurity company Check Point, a cybercriminal they dubbed “Stargazer Goblin” has been hosting malicious code repositories on the Microsoft-owned platform. GitHub is the world’s largest open-source code website, hosting millions of developers’ work. As well as uploading malicious repositories, Stargazer Goblin has been boosting the pages by using GitHub’s own community tools.
Antonis Terefos, a malware reverse engineer at Check Point who discovered the nefarious behavior, says the persona behind the network uses their false accounts to “star,” “fork,” and “watch” the malicious pages.
[…]
The Stargazers Ghost Network, which Check Point named after one of the first accounts they spotted, has been spreading malicious GitHub repositories that offer downloads of social media, gaming, and cryptocurrency tools. For instance, pages might be claiming to provide code to run a VPN or license a version of Adobe’s Photoshop. These are mostly targeting Windows users, the research says, and aim to capitalize on people potentially searching for free software online.
The operator behind the network charges other hackers to use their services, which Check Point call “distribution as a service.” The harmful network has been spotted sharing various types of ransomware and info-stealer malware, Check Point says, including the Atlantida Stealer, Rhadamanthys, and the Lumma Stealer. Terefos says he discovered the network while researching instances of the Atlantida Stealer. The researcher says the network could be bigger than he expects, as he has also seen legitimate GitHub accounts being taken over using stolen login details.
[…]
The Stargazer Goblin threat actor identified by Check Point sells their services through ads on cybercrime forums and also through a Telegram account. A posts on a Russian-language cybercrime forum advertises 100 stars for $10 and 500 for $50 and says they can provide clones of existing repositories and trusted accounts. “For GitHub, the process looks organic,”
[…]
The Check Point engineer also says he identified one YouTube “ghost” account that was sharing malicious links via video, indicating that the network could be more encompassing. “I think this is not the whole picture,” Terefos says.
Source: A Hacker ‘Ghost’ Network Is Quietly Spreading Malware on GitHub | WIRED
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft