Ghost Accounts Spreading Malware On GitHub

GitHub is the world’s largest source code host, is integral to more than 100 million developers hosting more than 420 million public repositories. 

Now, researchers at Check Point have uncovered a sophisticated assembly of ghost accounts that distribute malware through phishing repositories, leveraging fake accounts to organically perform phishing attacks, by making the repositories appear legitimate by starring, forking, and subscribing to them. 

The operator of this Ghost network is an individual known as Stargazer Goblin, who only came to the fore about a year ago, when Check Point first saw an advertisement in Dark Web forums, with a price list of each action that could be taken. 

The network operates the Stargazers Ghost Network which distributes malware and links via an estimated 3,000 GitHub Ghost accounts.

Impact: These malicious repositories are highly victim-oriented, targeting users interested in social media, gaming, crypto-currency, and more. The consequences of falling victim to these attacks range from ransomware infections through these fake accounts, to stolen credentials used in threats or other phishing attacks, and compromised crypto-currency wallets. 

Although the current targets are primarily Windows users, similar methods could target Linux or Android users, sparking a much wider impact on victims.  

Economic Toll: From mid-May to mid-June 2024 alone, Stargazer Goblin, earned approximately $8,000. Since the network's suspected inception in August 2022, it is estimated to have generated over $100,000 through more than 3,000 ghost accounts on GitHub.

Call to Action: Given the severity of these findings, Check Point Research urges GitHub users to exercise extreme caution with repositories containing download links for executables, even from reputable sources, or commits that change or add links.

Cyber Security, Research Manager, Check Point Research, Alexander Chailytko, commented “It's alarming to see how a large source code platform like GitHub, with more than 14 million visitors per day, is being utilised for malware distribution, especially by a well-organised one like Stargazers Ghost Network... 

“Considering precise targeting, this threat could affect a vast number of victims worldwide, with more impactful consequences in addition to possible ransomware infections, stolen credentials, and compromised crypto-currency wallets."

Check Point were also able to identify a similar looking campaign operating on YouTube video hosting, which they think indicates a there is a switch in malware Distribution as a Service (DaaS) approach. According to Chailytko, this will have the effect of "... leveraging more popular platforms to propagate infections to as many users as possible in a more covert way, with this GitHub account network being part of a wider scheme of malicious distribution.”

Check Point    |     NVAccess   |   ITPro    |    Dark Reading 

Image: Ideogram

You Might Also Read:

Hackers Exploit GitHub & FileZilla To Deliver Malware:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Most Wanted - North Korean Hackers 
Video Game Actors Fear Being Replace By AI  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Hack Miami

Hack Miami

HackMiami is the premier resource in South Florida for highly skilled hackers that specialize in vulnerability analysis, penetration testing, digital forensics, and all manner of IT security.

JumpCloud

JumpCloud

JumpCloud's Directory-as-a-Service (DaaS) is the single point of authority to authenticate, authorize, and manage the identities of a business’s employees and the systems and IT resources they need.

Software Factory

Software Factory

Software Factory develops custom-built high-performance software solutions and products for applications including industrial cyber security.

IT Association of Slovakia (ITAS)

IT Association of Slovakia (ITAS)

ITAS is a professional association of domestic and foreign companies operating in the field of information and communication technologies

Information Network Security Agency (INSA) - Ethiopia

Information Network Security Agency (INSA) - Ethiopia

INSA's vision is to realize a globally competent National Cyber capability which plays a key role in protecting the national interests of Ethiopia.

Regulus Cyber

Regulus Cyber

Regulus enables drones, robots and autonomous vehicles to operate safely, without malicious or accidental interference to the operation of their mission.

Cyber Security Austria (CSA)

Cyber Security Austria (CSA)

Cyber Security Austria (CSA) is an independent non-profit association with the aim to address security issues in the area of IT/cyber security of critical/strategic infrastructures in Austria.

Aricoma

Aricoma

Aricoma are Architects of Digital. We aim to become a major player in end-to-end IT services and digital transformation in Europe.

Romanian Accreditation Association (RENAR)

Romanian Accreditation Association (RENAR)

RENAR is the national accreditation body for Romania. The directory of members provides details of organisations offering certification services for ISO 27001.

Critical Insight

Critical Insight

Critical Insight provide Managed Detection and Response, Vulnerability Detection, and Consulting Services to help you secure your mission-critical systems.

Privacyware

Privacyware

Privacyware's ThreatSentry combines a state-of-the-art Web Application Firewall and port-level firewall with advanced behavioral filtering to block unwanted IIS traffic and web application threats.

SightGain

SightGain

SightGain is the only integrated risk management solution focused on cybersecurity readiness using real-world attack simulations in your live environment.

ContraForce

ContraForce

ContraForce is a threat detection and response software providing complete visibility across cloud, network, endpoints, user, and email with the ability to target and block threats in real-time.

OneLayer

OneLayer

OneLayer provide enterprise grade security dedicated for private LTE/5G networks. We ensure that the best IoT security toolkit is implemented in your cellular environment.

Kriptos

Kriptos

Kriptos helps businesses improve their cybersecurity, risk, and compliance strategies by locating critical information through a technology that automatically classifies and labels documents using AI.

ThreatView by Turaco Labs

ThreatView by Turaco Labs

ThreatView combines extensive experience in digital forensics with advanced analytics and threat detection capabilities to protect eCommerce websites.