May 15, 2024 at 11:21AM
Recorded Future warned of a malicious campaign leveraging a genuine GitHub profile to distribute malware such as Atomic macOS Stealer, Vidar, and Octo. Russian-speaking threat actors operating in the Commonwealth of Independent States were implicated. The campaign used a singular command-and-control infrastructure and impersonated legitimate applications. Organizations were urged to employ automated code scanning tools for external repositories.
From the meeting notes, it’s clear that a threat intelligence firm, Recorded Future, raised an alarm for a malicious campaign that involved abusing a legitimate GitHub profile to distribute information stealing malware. Russian-speaking threat actors from the Commonwealth of Independent States (CIS) have been distributing several types of malware, including Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo, by impersonating legitimate applications.
The campaign utilized a centralized command-and-control (C&C) infrastructure and targeted multiple platforms, including macOS, Android, and Windows. Recorded Future identified 12 websites advertising legitimate macOS software but redirecting victims to the GitHub profile distributing the AMOS malware. The user ‘papinyurii33’ created the GitHub profile and was associated with the distribution of various malware.
Recorded Future also discovered the use of FileZilla FTP server for malware management and distribution of the Lumma and Vidar information stealers. Additionally, the firm uncovered several IP addresses associated with the campaign, including those linked to the DarkComet RAT and FileZilla FTP server used for distribution.
Based on reports from multiple sources including Cyfirma, CERT-UA, Cyble, and Malwarebytes, Recorded Future concluded that the attacks were orchestrated by the same threat actor as part of a large-scale campaign. The cybersecurity firm recommends organizations to use automated code scanning tools to identify potential malware or suspicious patterns in externally obtained code.
This information highlights the seriousness of the threat and emphasizes the importance of organizations taking proactive measures to protect themselves from such sophisticated attacks.