CyberSecurity news
FlagThis
securebulletin.com@Secure Bulletin
//
Sophos has revealed a significant malware campaign operating on GitHub, targeting a diverse audience, including hackers, gamers, and cybersecurity researchers. The threat actor, identified by the alias "ischhfd83," has cleverly disguised malicious code within seemingly legitimate repositories, some appearing as malware development tools and others as gaming cheats. This deceptive approach aimed to infect users with infostealers and Remote Access Trojans (RATs) like AsyncRAT and Remcos. Upon investigation, Sophos uncovered a network of 133 backdoored repositories linked to the same threat actor, indicating a widespread and coordinated effort to compromise unsuspecting individuals.
The campaign employed sophisticated techniques to enhance its credibility and evade detection. The threat actor used multiple accounts and contributors, alongside automated commits to mimic active development. Victims who compiled the code in these repositories inadvertently triggered a multi-stage infection chain. This chain involved VBS scripts, PowerShell downloads, and obfuscated Electron apps, all designed to stealthily deploy malicious payloads. By masquerading as valuable resources, such as hacking tools or game enhancements, the threat actor successfully lured users into downloading and executing the backdoored code, showcasing the campaign's deceptive effectiveness.
Sophos reported the malicious repositories to GitHub, leading to the takedown of most affected pages and related malicious pastes. However, the incident highlights the importance of vigilance when downloading and running code from unverified sources. Cybersecurity experts recommend users carefully inspect code for obfuscated strings, unusual domain calls, and suspicious behavior before execution. Employing online scanners and analysis tools, as well as running untested code in isolated environments, can further mitigate the risk of infection. The discovery also underscores the growing trend of cybercriminals targeting each other, further complicating the threat landscape.
References :
The campaign employed sophisticated techniques to enhance its credibility and evade detection. The threat actor used multiple accounts and contributors, alongside automated commits to mimic active development. Victims who compiled the code in these repositories inadvertently triggered a multi-stage infection chain. This chain involved VBS scripts, PowerShell downloads, and obfuscated Electron apps, all designed to stealthily deploy malicious payloads. By masquerading as valuable resources, such as hacking tools or game enhancements, the threat actor successfully lured users into downloading and executing the backdoored code, showcasing the campaign's deceptive effectiveness.
Sophos reported the malicious repositories to GitHub, leading to the takedown of most affected pages and related malicious pastes. However, the incident highlights the importance of vigilance when downloading and running code from unverified sources. Cybersecurity experts recommend users carefully inspect code for obfuscated strings, unusual domain calls, and suspicious behavior before execution. Employing online scanners and analysis tools, as well as running untested code in isolated environments, can further mitigate the risk of infection. The discovery also underscores the growing trend of cybercriminals targeting each other, further complicating the threat landscape.
Share:
References :
- Secure Bulletin: Sophos exposes massive GitHub campaign distributing backdoored malware
- securebulletin.com: Sophos exposes massive GitHub campaign distributing backdoored malware
- Sophos X-Ops: We’ve previously looked into the niche world of threat actors targeting each other, so we investigated further, and found 133 backdoored repos, most linked to the same threat actor via an email address. Some repos claimed to be malware, others gaming cheats. The threat actor appears to have gone to some lengths to make their backdoored repos seem legitimate – including multiple accounts and contributors, and automated commits.
- Sophos X-Ops: To avoid falling victim to these kinds of attacks, be wary of downloading/running code from unverified/untrusted repos, and where possible inspect code for anything unusual.
- Sophos X-Ops: When we analyzed the backdoors, we ended up down a rabbithole of multiple variants, obfuscation, convoluted infection chains, and identifiers. The upshot is that a threat actor seems to be creating backdoored repos at scale, and may have been doing so for some time.
- The Register - Security: More than a hundred backdoored malware repos traced to single GitHub user. Someone went to great lengths to prey on the next generation of cybercrooks
- Sophos News: A simple customer query leads to a rabbit hole of backdoored malware and game cheats
- gbhackers.com: Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User
- gbhackers.com: Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User