A new threat actor, dubbed Stargazer Goblin, has orchestrated a sophisticated malware distribution network by creating over 3,000 fake GitHub accounts. This operation, referred to as the “Stargazers Ghost Network,” has effectively used GitHub’s platform to spread various information-stealing malware, generating an estimated $100,000 in illicit profits over the past year.
The Scale and Methodology of the Attack
The Stargazers Ghost Network spans thousands of repositories on GitHub. These repositories are used to disseminate malicious links and malware. Some of the malware families identified in this campaign include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. To enhance the perceived legitimacy of these malicious repositories, the fake accounts engage in activities such as starring, forking, watching, and subscribing to these repositories.
Security researcher Antonis Terefos from Check Point highlighted that these activities are part of a broader strategy to disguise the malicious intent of the accounts. “Threat actors now operate a network of ‘Ghost’ accounts that distribute malware via malicious links on their repositories and encrypted archives as releases,” Terefos explained. This network also engages in activities that make these ‘Ghost’ accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories.
Diverse Account Roles for Resilience
The network employs different categories of GitHub accounts, each with distinct roles to make their infrastructure more resilient to takedown efforts. These roles include:
- Phishing Repository Template Accounts: These accounts host the phishing templates.
- Image Provision Accounts: These accounts provide images for the phishing templates.
- Malware Distribution Accounts: These accounts push malware to the repositories in the form of password-protected archives, often disguised as cracked software or game cheats.
When GitHub detects and bans any of these accounts, Stargazer Goblin swiftly updates the phishing repository with a new link, ensuring the continuity of their operations with minimal disruption. Furthermore, some accounts involved in the network have been compromised, with credentials likely obtained through stealer malware.
Malicious Campaigns and Broader DaaS Operations
One notable campaign identified by Check Point involves a malicious link to a GitHub repository. This repository points to a PHP script hosted on a WordPress site, which delivers an HTML Application (HTA) file. This file ultimately executes Atlantida Stealer via a PowerShell script. Other malware families propagated through this DaaS operation include Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro.
Check Point’s analysis also revealed that the GitHub accounts are part of a larger DaaS solution that operates similar ghost accounts on other platforms such as Discord, Facebook, Instagram, X (formerly Twitter), and YouTube.
Resilience Against Detection
The sophistication of Stargazer Goblin’s operation lies in its ability to avoid detection. By leveraging GitHub—a reputable platform—these malicious activities raise fewer suspicions. The network’s use of multiple accounts and profiles for different activities, from starring repositories to hosting phishing templates and malicious releases, allows them to minimize losses when GitHub intervenes. Typically, only one part of the operation is disrupted, rather than all involved accounts.
Ongoing Extortion and Vulnerability Exploits
This development coincides with a new extortion operation targeting GitHub repositories, which has been active since February 2024. Unknown threat actors are wiping repository contents and demanding victims contact a user named Gitloker on Telegram to restore access, with payments required.
This social engineering attack targets developers with phishing emails from “notifications@github.com,” tricking them into authorizing a new OAuth app that erases their repositories. This highlights the ongoing vulnerabilities within the platform.
Cross Fork Object Reference Vulnerability
In addition, an advisory from Truffle Security has drawn attention to a potential vulnerability in GitHub known as Cross Fork Object Reference (CFOR). This vulnerability allows access to sensitive data from deleted forks, deleted repositories, and even private repositories on GitHub.
Joe Leon from Truffle Security explained, “A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks).” This means that commits to any repository in a fork network can be accessed from any repository in the same network, potentially exposing sensitive data even after a repository is deleted.
Conclusion
Stargazer Goblin’s operation underscores the challenges faced by platforms like GitHub in combating sophisticated malware distribution networks. The ability of these threat actors to adapt and maintain their operations despite takedown efforts highlights the need for continuous vigilance and enhanced security measures. Developers and organizations must remain aware of these threats and take proactive steps to secure their repositories and sensitive data.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : French Authorities Lead Major Operation to Eliminate PlugX Malware from Infected Systems
Pingback: Major Acronis Vulnerability Exploited in the Wild: CVE-2023-45249
Vitazen Keto I do not even understand how I ended up here, but I assumed this publish used to be great
Thanks. Keep visiting for more updates.
Wonderful beat I wish to apprentice while you amend your web site how could i subscribe for a blog web site The account aided me a acceptable deal I had been a little bit acquainted of this your broadcast provided bright clear idea
I am not sure where youre getting your info but good topic I needs to spend some time learning much more or understanding more Thanks for magnificent info I was looking for this information for my mission
I have been browsing online more than three hours today yet I never found any interesting article like yours It is pretty worth enough for me In my view if all website owners and bloggers made good content as you did the internet will be a lot more useful than ever before
Thanks. Keep Visiting https://www.cyasha.com for more updates.
Usually I do not read article on blogs however I would like to say that this writeup very compelled me to take a look at and do so Your writing taste has been amazed me Thanks quite nice post
Thanks for your kind words. Keep Visiting https://www.cyasha.com for more updates.
My fascination with your creations is on par with your own. The sketch you’ve presented is tasteful, and the content you’ve authored is of a high caliber. Nevertheless, you seem uneasy about the prospect of embarking on something that could be perceived as dubious. I believe you’ll be able to resolve this concern in a timely manner.
Thanks. Keep Visiting https://www.cyasha.com for more updates.
I loved as much as youll receive carried out right here The sketch is tasteful your authored material stylish nonetheless you command get bought an nervousness over that you wish be delivering the following unwell unquestionably come more formerly again since exactly the same nearly a lot often inside case you shield this hike
I have been browsing online more than three hours today yet I never found any interesting article like yours It is pretty worth enough for me In my view if all website owners and bloggers made good content as you did the internet will be a lot more useful than ever before