In a recent revelation by Check Point Research (CPR), it has come to light that cybercriminals are utilizing GitHub, the largest source code host globally, to disseminate malware through a network known as “Stargazers Ghost.” This network operates by deploying a multitude of seemingly authentic accounts to propagate malware, posing a significant threat to unsuspecting users.

The modus operandi of the “Stargazers Ghost” network involves creating fake accounts that mimic legitimate users, generating repositories, and engaging in activities such as Forking, Starring, and Subscribing to project legitimacy and allure users into downloading malicious content. These repositories contain embedded malicious links that, when clicked on by users, lead to the inadvertent installation of malware on their devices.

Although the exact number of accounts remains ambiguous due to the network’s evolution, recent estimations suggest the existence of over 3,000 Ghost accounts. Additionally, the network operates with an automated approach, utilizing identical tags and images across different platforms tailored towards diverse target audiences, thereby ensuring efficiency and scalability in their operations.

Furthermore, CPR’s report reveals that the network relies on three distinct GitHub Ghost accounts to facilitate various tasks, such as hosting phishing repository templates, providing images, and dispensing malware in password-protected archives. The network’s innovative strategy challenges traditional malware dissemination tactics by employing a malicious repository where links are endorsed and authenticated by multiple GitHub accounts to enhance their credibility.

During a January 2024 campaign, CPR identified over 2,200 malicious repositories associated with the “Ghost” activities, which included the distribution of the Atlantida stealer malware. This new malware strain targets user credentials and cryptocurrency wallets, resulting in over 1,300 recorded infections within a mere four-day period. Other prevalent malware distributed by the network includes Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

The network’s primary targets encompass individuals active on social media, gaming platforms, and cryptocurrency spaces, posing risks such as ransomware infections, credential theft, and compromised wallets. While the current focus is on Windows users, there exists the potential for similar tactics to impact Linux or Android users in the future.

Since its alleged inception in August 2022, the scheme has generated over $100,000 through the utilization of more than 3,000 Ghost accounts on GitHub, with an additional $8,000 accrued between mid-May and mid-June 2024. The operation’s mastermind, known as Stargazer Goblin, gained notoriety after CPR discovered an advertisement on dark web forums detailing a pricelist for specific actions to be undertaken.

In response to these alarming developments, Alexander Chailytko, Cyber Security, Research, & Innovation Manager at Check Point Research, emphasized the significance of vigilance when interacting with unfamiliar repositories and links within GitHub. He stressed the importance of conducting thorough research on developers and projects before engaging with any content and advised against clicking on suspicious links unless entirely confident in their legitimacy.

In conclusion, the “Stargazers Ghost” network represents a sophisticated and orchestrated effort to exploit GitHub for nefarious purposes, underscoring the critical need for heightened cybersecurity awareness among users to safeguard against potential threats posed by such malicious schemes. Stay informed, stay cautious, and prioritize cybersecurity precautions to mitigate the risks associated with malicious activity online.

Source link