Fake GitHub Accounts 'Stargazer Goblin' Malware

3,000 Fake GitHub Accounts Linked to the 'Stargazer Goblin' Malware

The Emergence of the Stargazers Ghost Network

A threat actor known as Stargazer Goblin has created a network of fake GitHub accounts to run a Distribution-as-a-Service (DaaS) operation that spreads various types of malware, earning them $100,000 in illegal profits over the past year. Cybersecurity researchers are actively investigating Stargazer Goblin’s activities.

The network consists of over 3,000 accounts on GitHub and includes thousands of repositories used to share malicious links and malware. Check Point has named this network “Stargazers Ghost Network.” Stargazer Goblin’s operation is extensive and well-organized.

The malware distributed through this network includes Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. The fake accounts also engage in actions such as starring, forking, watching, and subscribing to malicious repositories to make them seem legitimate. Stargazer Goblin’s choice of malware shows their adaptability.

Advertisement Know Tech News

Timeline and Operational Structure

The network has been active since August 2022 in a preliminary form. However, an advertisement for the DaaS wasn’t seen until early July 2023 in the dark. Stargazer Goblin’s operations have evolved.

Security researcher Antonis Terefos explained in an analysis published last week that threat actors are now using a network of ‘Ghost’ accounts to distribute malware through malicious links on their repositories and encrypted archives as releases. Stargazer Goblin’s tactics are sophisticated and continually adapting.

This network not only distributes malware but also provides various other activities that make these ‘Ghost’ accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories.

Various types of GitHub accounts are tasked with different aspects of the system to make their infrastructure more resistant to takedown efforts by GitHub when harmful content is identified on the platform. The network structure of Stargazer Goblin is specifically designed for resilience.

Account Categories and Their Roles

This includes accounts that are used to provide phishing templates, accounts that provide images for phishing templates, and accounts that upload malware to repositories disguised as password-protected archives of cracked software and game cheats. Stargazer Goblin uses different types of accounts for different purposes.

If GitHub detects and bans the third set of accounts, Stargazer Goblin will update the first account’s phishing repository with a new link to an active malicious release, allowing the operators to continue with minimal disruption. This shows the Stargazer Goblin’s ability to adapt quickly to setbacks.

It appears that some accounts within the network may have been compromised in the past, potentially due to the unauthorized use of stealer malware to obtain credentials. In addition to liking new releases from various repositories and making changes to the README.md files to alter the download links, Stargazer Goblin may be using these compromised accounts as part of their operations.

Advertisement Know Tech News

Resilience and Adaptability of the Network

“Terefos mentioned that in most cases, Repository and Stargazer accounts are not affected by bans and repository takedowns. However, Commit and Release accounts are usually banned when their malicious repositories are discovered.” Terefos noted that Stargazer Goblin’s network demonstrates significant resilience.

“Link repositories often contain links to banned release repositories. In such cases, the commit account associated with the link repository updates the malicious link with a new one.” This demonstrates the Stargazer Goblin’s adaptability.

Malware Distribution Tactics

One of the campaigns discovered by Check Point involves the use of a malicious link to a GitHub repository. This repository, in turn, points to a PHP script hosted on a WordPress site, which then delivers an HTML Application (HTA) file to ultimately execute Atlantida Stealer by means of a PowerShell script. Stargazer Goblin’s distribution tactics are multi-layered.

Other malware families spread through the DaaS include Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point also mentioned that the GitHub accounts are part of a larger DaaS solution with similar ‘Ghost’ accounts on other platforms such as Discord, Facebook, Instagram, and YouTube. Stargazer Goblin’s operations go beyond GitHub.

The Sophistication of Stargazer Goblin's Operation

“Terefos mentioned that the Stargazer Goblin had developed a highly sophisticated malware distribution operation. This operation is designed to evade detection by posing as a legitimate website on GitHub, avoid suspicion of malicious activities, and minimize and recover from any damage caused when GitHub disrupts their network,” said Terefos.

The Stargazers Ghost Network uses multiple accounts and profiles to carry out various activities on GitHub. These activities include giving stars to repositories, hosting the repository, uploading the phishing template, and hosting malicious releases. This structure helps minimize their losses in case GitHub takes action to disrupt their operations. If one part of the operation is disrupted, it will not affect all the involved accounts. Stargazer Goblin’s operational structure is designed for maximum efficiency and minimal disruption.

The Gitloker Extortion Operation

“The development comes as unknown threat actors are targeting GitHub repositories, wiping their contents, and asking the victims to reach out to a user named Gitloker on Telegram as part of a new extortion operation that has been ongoing since February 2024.”

Developers are being targeted in a social engineering attack with phishing emails sent from “notifications@github.com.” The aim is to trick them into clicking on fake links by pretending to offer a job opportunity at GitHub. If they fall for it, they will be prompted to authorize a new OAuth app which will then delete all their repositories. After that, the attackers demand a payment in exchange for restoring access.

Advertisement Know Tech News

Cross Fork Object Reference (CFOR) Vulnerability

Truffle Security has issued an advisory stating that sensitive data can still be accessed from deleted forks, deleted repositories, and even private repositories on GitHub. They are urging organisations to take steps to secure against a vulnerability they are calling Cross Fork Object Reference (CFOR).

“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork, including data from private and deleted forks,” explained Joe Leon. “Similar to an Insecure Direct Object Reference, in CFOR, users supply commit hashes to directly access commit data that would otherwise not be visible to them.”

Once code is committed to a public repository and at least one fork exists, it may remain accessible indefinitely. Furthermore, it can be used to access code committed after the creation of an internal fork but before the repository is made public.

GitHub's Intentional Design Decisions

It is important to note that these intentional design decisions were made by GitHub, as stated in the company’s documentation.

Commits to any repository in a fork network are accessible from any repository in the same fork network, including the upstream repository.

When you change a private repository to a public one, all the commits in that repository, as well as any commits made in the repositories it was forked into, will become visible to everyone.

“The average user perceives the separation of private and public repositories as a security boundary and understandably assumes that any data stored in a private repository cannot be accessed by public users,” Leon stated.

Conclusion

The discovery of Stargazer Goblin’s Stargazer’s Ghost Network reveals a sophisticated and evolving threat to the GitHub ecosystem. This malicious actor has successfully leveraged the platform’s legitimacy to distribute various types of malware, earning significant illicit profits. The network’s resilience, achieved through a complex structure of different account types and roles, poses a considerable challenge for GitHub’s security measures.

Stargazer Goblin’s operations extend beyond GitHub, utilizing other popular platforms to further their reach. This multi-platform approach underscores the adaptability and resourcefulness of modern cybercriminals.

Loading

0
Would love your thoughts, please comment.x
()
x