July 24, 2024 at 06:01PM
Stargazer Goblin operates a malware Distribution-as-a-Service on GitHub through a network named Stargazers Ghost Network. The group utilizes fake accounts and compromised sites to distribute password-protected archives containing malware, leading to successful phishing attacks. The operation has generated over $100,000 and continues despite the takedown of some repositories. Users visiting GitHub are advised to exercise caution with file downloads.
Based on the meeting notes provided, the key takeaways are as follows:
– Threat actors known as ‘Stargazer Goblin’ have created a malware Distribution-as-a-Service (DaaS) from over 3,000 fake accounts on GitHub to push information-stealing malware. This operation has been actively promoted on the dark web since June 2023, but evidence suggests it has been active since August 2022.
– The malware delivery service, named Stargazers Ghost Network, utilizes GitHub repositories along with compromised WordPress sites to distribute password-protected archives containing malware. The malware includes infostealers such as RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer.
– ‘Stargazer Goblin’ established a system where they create hundreds of repositories using three thousand fake ‘ghost’ accounts to appear legitimate. The ‘ghost’ accounts are assigned distinct roles to serve phishing templates, phishing images, and the malware itself, giving the scheme a certain level of operational resilience.
– Despite GitHub’s actions to take down malicious repositories, over 200 are currently active and continue to distribute malware. It is advised that users arriving on GitHub repositories through various channels such as malvertising, Google Search results, YouTube videos, Telegram, or social media should be cautious with file downloads and URLs they click.
– Users are advised to be especially cautious with password-protected archives, which cannot be scanned by antivirus software. It is suggested to extract such files on a virtual machine and scan the contents with antivirus software or use VirusTotal, which can prompt for the password of a protected archive to scan its contents.
These takeaways emphasize the sophistication and extensive reach of the Stargazers Ghost Network operation and the importance of caution and proper security measures when interacting with GitHub repositories and downloading files.