A “multi-faceted campaign” has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro.
“The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks,” Recorded Future’s Insikt Group said in a report.
Attack chains entail the use of fake profiles and repositories on GitHub, hosting counterfeit versions of well-known software with the goal of sensitive data from compromised devices. The links to these malicious files are then embedded within several domains that are typically distributed via malvertising and SEO poisoning campaigns.
The adversary behind the operation, suspected to be Russian-speaking threat actors from the Commonwealth of Independent States (CIS), has also been observed using FileZilla servers for malware management and delivery.
Further analysis of the disk image files on GitHub and the associated infrastructure has determined that the attacks are tied to a larger campaign designed to deliver RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since at least August 2023.
“It prompts the user to let it run with elevated privileges, turns off the macOS Gatekeeper, and disables the Notification Center,” the tech giant said.
“It then downloads and launches multiple stages of malicious Python scripts from multiple command-and-control (C2) domains and adds these malicious scripts to the LaunchAgents folder for persistence.”
Source: https://thehackernews.com/
