A “multi-faceted campaign” has been noticed abusing legit providers like GitHub and FileZilla to ship an array of stealer malware and banking trojans corresponding to Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software program like 1Password, Bartender 5, and Pixelmator Professional.
“The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks,” Recorded Future’s Insikt Group stated in a report.
The cybersecurity agency, which is monitoring the exercise beneath the moniker GitCaught, stated the marketing campaign not solely highlights the misuse of genuine web providers to orchestrate cyber assaults, but in addition the reliance on a number of malware variants concentrating on Android, macOS, and Home windows to extend the success charge.
Assault chains entail the usage of faux profiles and repositories on GitHub, internet hosting counterfeit variations of well-known software program with the purpose of delicate information from compromised gadgets. The hyperlinks to those malicious recordsdata are then embedded inside a number of domains which might be usually distributed by way of malvertising and web optimization poisoning campaigns.
The adversary behind the operation, suspected to be Russian-speaking risk actors from the Commonwealth of Impartial States (CIS), has additionally been noticed utilizing FileZilla servers for malware administration and supply.
Additional evaluation of the disk picture recordsdata on GitHub and the related infrastructure has decided that the assaults are tied to a bigger marketing campaign designed to ship RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since no less than August 2023.
The Rhadamanthys an infection pathway can also be notable for the truth that victims who land on the faux utility web sites are redirected to payloads hosted on Bitbucket and Dropbox, suggesting a broader abuse of legit providers.
The event comes because the Microsoft Risk Intelligence crew stated that the macOS backdoor codenamed Activator stays a “very active threat,” distributed by way of disk picture recordsdata impersonating cracked variations of legit software program and stealing information from Exodus and Bitcoin-Qt pockets purposes.
“It prompts the user to let it run with elevated privileges, turns off the macOS Gatekeeper, and disables the Notification Center,” the tech big stated. “It then downloads and launches multiple stages of malicious Python scripts from multiple command-and-control (C2) domains and adds these malicious scripts to the LaunchAgents folder for persistence.”
