Malicious Threat Actors Exploiting GitHub and FileZilla To Distribute a Malware Cocktail
Malicious Threat Actors Exploiting GitHub and FileZilla To Distribute a Malware Cocktail
An unauthorized “multi-faceted campaign” has been identified exploiting reputable platforms such as FileZilla and GitHub to distribute a variety of banking trojans and stealer malware, including Atomic (also known as AMOS), Vidar, Lumma (also known as LummaC2), and Octo. This is achieved through the emulation of reputable software applications, including 1Password, Bartender 5, and Pixelmator Pro.
The existence of several malware variants indicates a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks,” the Insikt Group of Recorded Future indicated in a report.
The cybersecurity firm, operating under the alias GitCaught, asserts that the campaign underscores not only the improper utilization of legitimate internet services for the purpose of planning cyber assaults, but also the reliance on numerous malware variants that specifically target Android, macOS, and Windows in order to amplify the likelihood of success.
Attack chains involve the utilization of illegitimate profiles and repositories on GitHub, which distribute forged iterations of widely recognized software in order to illicitly obtain sensitive data from compromised devices. Subsequently, multiple domains where the links to the aforementioned malicious files are embedded are typically compromised through SEO poisoning and malvertising campaigns.
Additionally, FileZilla servers were observed being utilized by the adversary for malware delivery and administration. Russian-speaking threat actors from the Commonwealth of Independent States (CIS) are suspected to be responsible for the operation.
Subsequent examination of the GitHub disk image files and the corresponding infrastructure has ascertained that the assaults are linked to a more extensive scheme that has been orchestrating RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT attacks since a minimum of August 2023.
An additional noteworthy aspect of the Rhadamanthys infection pathway is that it redirects victims who arrive at the bogus application websites to payloads that are hosted on Bitbucket and Dropbox. This observation implies a more extensive exploitation of legitimate services.
Distributed via disk image files that impersonate hacked versions of legitimate software and steal data from Exodus and Bitcoin-Qt wallet applications, the macOS backdoor codenamed Activator continues to be a “very active threat,” according to the Microsoft Threat Intelligence team.
“It encourages the user for permission to let it execute with elevated permissions, turns off the macOS Gatekeeper, and removes the Notification Center,” according to the technology company. “It then downloads and launches multiple stages of malicious Python scripts from multiple command-and-control (C2) domains and adds these malicious scripts to the LaunchAgents folder for persistence.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE