A "multi-faceted campaign" has been detected abusing legitimate platforms like GitHub and FileZilla to distribute various stealer malware and banking trojans, including Atomic (also known as AMOS), Vidar, Lumma (also known as LummaC2), and Octo. These are deployed by masquerading as reputable software such as 1Password, Bartender 5, and Pixelmator Pro.

"The presence of multiple malware variants indicates a broad cross-platform targeting strategy, while the shared C2 infrastructure suggests a centralized command setup, potentially enhancing the efficiency of the attacks," stated Recorded Future's Insikt Group in a report.

The cybersecurity firm, tracking this activity under the name GitCaught, noted that the campaign not only underscores the misuse of genuine internet services to orchestrate cyber attacks but also the reliance on multiple malware variants targeting Android, macOS, and Windows to boost the success rate.

The attack sequences involve creating fake profiles and repositories on GitHub, hosting counterfeit versions of popular software to steal sensitive data from compromised devices. Links to these malicious files are embedded within various domains, typically distributed via malvertising and SEO poisoning campaigns.

The threat actors behind this operation, believed to be Russian-speaking individuals from the Commonwealth of Independent States (CIS), have also been seen using FileZilla servers for malware management and delivery.

Further investigation of the disk image files on GitHub and the associated infrastructure has shown that the attacks are linked to a broader campaign aimed at delivering RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since at least August 2023.

The Rhadamanthys infection pathway is particularly notable, as victims who visit the fake application websites are redirected to payloads hosted on Bitbucket and Dropbox, indicating a wider abuse of legitimate services.

This development comes as the Microsoft Threat Intelligence team reported that the macOS backdoor, codenamed Activator, remains a "very active threat," spread via disk image files posing as cracked versions of legitimate software, stealing data from Exodus and Bitcoin-Qt wallet applications.

"It prompts the user to allow it to run with elevated privileges, disables the macOS Gatekeeper, and turns off the Notification Center," stated the tech giant. "It then downloads and executes multiple stages of malicious Python scripts from several command-and-control (C2) domains and places these scripts in the LaunchAgents folder for persistence."

DragonX Offensive Team

At DragonX Offensive Securities, we are dedicated to safeguarding businesses and organizations against the ever-evolving landscape of cyber threats. With a team of seasoned experts and cutting-edge technology, we provide comprehensive cybersecurity solutions tailored to the unique needs and challenges of our clients.

DISCLAIMER :

The information provided is for general informational purposes only and should not be construed as legal advice. While we strive for accuracy, Dragon X makes no warranties or representations about the completeness, reliability, or suitability of the information presented.