Stargazers Ghost: Network of GitHub Accounts Used to Deliver Malware

Cybersecurity researchers at Test Point enjoy uncovered a elaborate community of GitHub accounts, dubbed the Stargazers Ghost Network, that has been distributing malware and phishing hyperlinks since no less than June 2023.

This community, operated by a threat actor steadily known as Stargazer Goblin, represents a new and touching on style in malware distribution on the smartly-liked code-online page online hosting platform.

Former malware distribution methods, much like electronic mail attachments, enjoy change into heavily monitored. In response, threat actors enjoy developed their tactics.

The Stargazers Ghost Network represents a broad advancement in these tactics. It utilizes GitHub, the world’s largest commence-source code online page online hosting platform, to distribute malware. This community employs “ghost” accounts that well-known particular person, fork, and explore malicious repositories, creating the illusion of reputation and trustworthiness.

The community operates by creating repositories that host malicious hyperlinks and encrypted archives. These repositories are then starred and forked by other ghost accounts, bettering their perceived legitimacy.

The malicious hyperlinks steadily lead to phishing templates or thunder downloads of malware. For the length of a campaign in January 2024, the community dispensed Atlantida stealer, a malware designed to grab user credentials and cryptocurrency wallets.

The Stargazers Ghost Network comprises over 3,000 active accounts that interact in actions much like starring, forking, and subscribing to malicious repositories, reads Test Point Be taught document.

These actions lend an air of legitimacy to the repositories, making them appear as credible projects to unsuspecting customers. This community operates as a Distribution as a Service (DaaS), allowing threat actors to allotment and distribute malicious hyperlinks and malware efficiently.

The community’s operations date back to around August 2022, with a broad uptick in exercise noticed from mid-Can even simply to mid-June 2024. For the length of this duration, it’s estimated that Stargazer Goblin earned roughly $8,000, despite the indisputable truth that the total earnings over the community’s lifespan are believed to be around $100,000.

Stargazers Ghost tactics

1. Manipulating GitHub Neighborhood Instruments
2. Creating Flawed Repositories
3. Automated Engagement
4. Distribution as a Service (DaaS)
5. Attacking Reliable Repositories

Malware Families and Distribution Methods

The Stargazers Ghost Network has been normal to distribute a diversity of malware, including:

1. Atlantida Stealer
2. Rhadamanthys
3. RisePro
4. Lumma Stealer
5. RedLine

These malware kinds are designed to grab user credentials, cryptocurrency wallets, and other individually identifiable data (PII). The community employs a kind of tactics to spread malware, including the usage of malicious hyperlinks in README.md recordsdata and password-protected archives within the Releases allotment of repositories.

The community’s sophistication lies in its ability to set the look of legitimacy whereas distributing malicious vow material. Accounts all the plan in which through the community compose various roles to make certain peaceful operation and fast restoration from any disruptions precipitated by story bans or repository takedowns.

As an illustration, one story can also wait on the phishing repository template, one other offers images for the phishing template, and a third story handles the malware distribution through password-protected archives.

When a malware-serving story is banned, the community with out warning updates the phishing repository with a new link to an active malicious commence, minimizing operational downtime. This compartmentalized structure permits the community to adapt swiftly and proceed its malicious actions with minimal losses.

The invention of the Stargazers Ghost Network highlights the evolving tactics of threat actors increasingly leveraging legitimate platforms esteem GitHub for malicious functions. This community no longer handiest poses a broad threat to particular particular person customers nonetheless also underscores the necessity for sturdy cybersecurity measures and vigilant monitoring of platforms normal for application distribution.

As a platform, GitHub faces the declare of balancing its atmosphere’s openness and collaborative nature with the necessity to give protection to customers from malicious actions.

The Stargazers Ghost Network represents a new frontier in malware distribution, the usage of sophisticated tactics to evade detection and preserve operational efficiency. As threat actors proceed to innovate, both platform suppliers and customers must dwell vigilant and adopt proactive cybersecurity measures to mitigate the hazards posed by such networks.