Ghost Accounts Spreading Malware On GitHub

Uploaded on 2024-07-29 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

GitHub is the world’s largest source code host, is integral to more than 100 million developers hosting more than 420 million public repositories. 

Now, researchers at Check Point have uncovered a sophisticated assembly of ghost accounts that distribute malware through phishing repositories, leveraging fake accounts to organically perform phishing attacks, by making the repositories appear legitimate by starring, forking, and subscribing to them. 

The operator of this Ghost network is an individual known as Stargazer Goblin, who only came to the fore about a year ago, when Check Point first saw an advertisement in Dark Web forums, with a price list of each action that could be taken. 

The network operates the Stargazers Ghost Network which distributes malware and links via an estimated 3,000 GitHub Ghost accounts.

Impact: These malicious repositories are highly victim-oriented, targeting users interested in social media, gaming, crypto-currency, and more. The consequences of falling victim to these attacks range from ransomware infections through these fake accounts, to stolen credentials used in threats or other phishing attacks, and compromised crypto-currency wallets. 

Although the current targets are primarily Windows users, similar methods could target Linux or Android users, sparking a much wider impact on victims.  

Economic Toll: From mid-May to mid-June 2024 alone, Stargazer Goblin, earned approximately $8,000. Since the network's suspected inception in August 2022, it is estimated to have generated over $100,000 through more than 3,000 ghost accounts on GitHub.

Call to Action: Given the severity of these findings, Check Point Research urges GitHub users to exercise extreme caution with repositories containing download links for executables, even from reputable sources, or commits that change or add links.

Cyber Security, Research Manager, Check Point Research, Alexander Chailytko, commented “It's alarming to see how a large source code platform like GitHub, with more than 14 million visitors per day, is being utilised for malware distribution, especially by a well-organised one like Stargazers Ghost Network... 

“Considering precise targeting, this threat could affect a vast number of victims worldwide, with more impactful consequences in addition to possible ransomware infections, stolen credentials, and compromised crypto-currency wallets."

Check Point were also able to identify a similar looking campaign operating on YouTube video hosting, which they think indicates a there is a switch in malware Distribution as a Service (DaaS) approach. According to Chailytko, this will have the effect of "... leveraging more popular platforms to propagate infections to as many users as possible in a more covert way, with this GitHub account network being part of a wider scheme of malicious distribution.”

Check Point    |     NVAccess   |   ITPro    |    Dark Reading 

Image: Ideogram

You Might Also Read:

Hackers Exploit GitHub & FileZilla To Deliver Malware:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« Most Wanted - North Korean Hackers 
Video Game Actors Fear Being Replace By AI  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CEPS

CEPS

CEPS is a leading think tank and forum for debate on EU affairs, ranking among the top think tanks in Europe. Topic areas include Innovation, Digital economy and Cyber-security.

Federal Office For Information Security (BSI)

Federal Office For Information Security (BSI)

The BSI (Bundesamt fur Sicherheit in der Informationstechnik) is the federal cyber security agency and the chief architect of secure digitalisation in Germany.

PFP Cybersecurity

PFP Cybersecurity

PFP provides a SaaS solution for life-cycle protection based on our IoT security platform and power usage analytics.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

GIAC provides certification in the knowledge and skills necessary for a practitioner in key areas of computer, information and software security.

J2 Software

J2 Software

J2 Software is a leading African Information Security and ICT business providing information security, governance, risk and compliance solutions.

Atlantic Security Conference (AtlSecCon)

Atlantic Security Conference (AtlSecCon)

Atlantic Security Conference is a non-profit, annual, information security conference located in Halifax, Nova Scotia, Canada.

Trust Stamp

Trust Stamp

Trust Stamp provide Identity and Trust as a Service to answer two fundamental questions: “Who are you?” and “Do I trust you?"

Research Institute in Secure Hardware and Embedded Systems (RISE)

Research Institute in Secure Hardware and Embedded Systems (RISE)

The UK Research Institute in Secure Hardware and Embedded Systems (RISE) seeks to identify and address key issues that underpin our understanding of Hardware Security.

Informatics International

Informatics International

Informatics is a leading ICT provider in Sri Lanka, providing cutting-edge software & infrastructure solutions and services including cyber security.

Core Sentinel

Core Sentinel

Australia's #1 Penetration Testing Service. Make Your Systems Fully Compliant With Our OSCE CREST/CISA Certified Penetration Testing.

Clarabot Nano

Clarabot Nano

Nano is the secure file sharing tool to improve content search, data access and collaboration between multiple parties.

Primus Institute of Technology

Primus Institute of Technology

At Primus Institute of Technology our mission is to inspire, support, and empower current and aspiring IT professionals through training and career development workshops.

KingsGuard Solutions

KingsGuard Solutions

KingsGuard Solutions is a San Diego Cybersecurity company that specializes in complex and innovative security solutions for companies throughout Southern California.

Techmentum

Techmentum

At Techmentum, our mission is to utilize technology to help companies succeed. Our expertise includes fully managed IT services, cybersecurity, cloud, and custom technology solutions.

OSP Cyber Academy

OSP Cyber Academy

OSP Cyber Academy are a managed service provider of cyber, information security and data protection training.

Early Game Ventures (EGV)

Early Game Ventures (EGV)

Early Game Ventures invests in startups that jumpstart new industries in the emerging markets of Europe.