A threat actor known as Stargazer Goblin has established a network of fake GitHub accounts to run a Distribution-as-a-Service (DaaS) that spreads various types of information-stealing malware, accumulating $100,000 in illegal profits in the last year.
The network consists of over 3,000 accounts on GitHub and contains thousands of repositories that are utilized to share malicious software or links, as per Check Point, which has named it “Stargazers Ghost Network.”
Several malware families distributed through this network include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. The fake accounts also engage in activities such as starring, forking, watching, and subscribing to malicious repositories to give them a facade of authenticity.
The network has been active since August 2022 in some form, but the advertisement for the DaaS only surfaced in early July 2023. Security researcher Antonis Terefos elaborated on the operations of the network in an analysis published recently.
Various types of GitHub accounts are responsible for different aspects of the scheme to make the infrastructure more resilient to takedown attempts by GitHub when flagged for malicious content on the platform.
These accounts include those that host phishing repository templates, provide images for phishing templates, and push malware to repositories disguised as cracked software and game cheats in password-protected archives.
If the malware-pushing accounts are detected and banned by GitHub, Stargazer Goblin updates the phishing repository of the first account with a new link to an active malicious release, ensuring minimal disruption to their operations.
In addition to liking new releases from multiple repositories and making changes to README.md files to alter download links, there is evidence to suggest that some accounts in the network have been compromised previously, likely through stealer malware.
Terefos explains that while Repository and Stargazer accounts typically remain unaffected by bans, Commit and Release accounts are usually banned once their malicious activities are detected.
A campaign discovered by Check Point involves a malicious link to a GitHub repository that leads to a PHP script on a WordPress site, delivering an HTML Application (HTA) file to execute Atlantida Stealer through a PowerShell script.
Other malware families distributed through this DaaS are Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. GitHub accounts are part of a larger DaaS solution that utilizes ghost accounts on various platforms like Discord, Facebook, Instagram, and YouTube.
“Stargazer Goblin has created a highly sophisticated malware distribution operation that bypasses detection by leveraging GitHub as a legitimate platform. They have designed their Ghost Network to minimize damage when GitHub interferes with their operations,” Terefos stated.
“By utilizing multiple accounts for different activities like starring, hosting repositories, committing phishing templates, and deploying malicious releases, the Stargazers Ghost Network can mitigate losses by disrupting only one part of the operation at a time.”
Meanwhile, unidentified threat actors are targeting GitHub repositories, wiping their contents, and extorting victims to contact a user named Gitloker on Telegram as part of a new extortion scheme ongoing since February 2024.
Developers are being targeted with phishing emails from “notifications@github.com,” tricking them into clicking on fake job opportunity links at GitHub. They are then instructed to authorize an OAuth app that deletes all repositories and demands a ransom for restoring access.
Truffle Security has issued an advisory regarding a Cross Fork Object Reference (CFOR) vulnerability that allows access to sensitive data in deleted forks, repositories, and private repositories on GitHub.
Leon explains that the CFOR vulnerability enables one fork to access data from another fork, including private and deleted forks. This unintentional access is a result of GitHub’s design decisions, as outlined in the company’s documentation.
“The average user assumes that private repositories are secure boundaries and that data in them cannot be accessed by the public. Unfortunately, this is not always the case, and data is not permanently deleted when a repository is deleted,” Leon highlighted.
