A comprehensive cyber campaign has been detected, exploiting reputable services like GitHub and FileZilla to distribute a range of malware including Atomic (also known as AMOS), Vidar, Lumma (aka LummaC2), and Octo. This operation involves masquerading as trusted software such as 1Password, Bartender 5, and Pixelmator Pro.
Recorded Future’s Insikt Group, which is monitoring this activity under the name GitCaught, noted the presence of multiple malware variations, indicating a broad cross-platform targeting approach. Additionally, the campaign leverages a centralized command structure, enhancing its efficiency.
The misuse of genuine internet services for orchestrating cyber attacks, coupled with the deployment of diverse malware targeting Android, macOS, and Windows, underscores the sophistication of this operation.
The attack methodology involves creating fraudulent profiles and repositories on GitHub, housing counterfeit versions of popular software to extract sensitive data from compromised devices. Malicious file links are embedded within multiple domains, typically distributed via malvertising and SEO poisoning schemes.
The perpetrators, suspected to be Russian-speaking threat actors from the Commonwealth of Independent States (CIS), have also utilized FileZilla servers for malware distribution and management.
Further investigation into GitHub disk image files and associated infrastructure has revealed a larger campaign delivering RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since at least August 2023.
Of particular note is the Rhadamanthys infection pathway, redirecting victims from fake application websites to payloads hosted on Bitbucket and Dropbox, indicating a broader misuse of legitimate services.
Meanwhile, the Microsoft Threat Intelligence team warns of the persistent threat posed by the macOS backdoor, Activator. Distributed via disk image files impersonating cracked legitimate software, Activator steals data from Exodus and Bitcoin-Qt wallet applications. It bypasses macOS Gatekeeper, disables Notification Center, and launches malicious Python scripts from multiple command-and-control (C2) domains, ensuring persistence by adding these scripts to the LaunchAgents folder.
This campaign highlights the evolving nature of cyber threats and the critical importance of robust cybersecurity measures to counteract them. It underscores the need for vigilance and advanced security protocols to defend against such sophisticated attacks.
Source: thehackernews.com
