Malware distribution via GitHub: Ghost account network discovered

Security researchers from Check Point have discovered a network of ghost accounts on GitHub that distribute malware. In addition to repositories containing malware, the Stargazers Ghost Network provides services to efficiently distribute malicious code via GitHub.

Advertisement

The user Stargazer is behind the Goblin network and has been offering its services since at least June 2023. However, Check Point believes that the first campaign began in August 2022.

Phishing with ghost accounts

According to Check Point Security estimates, the network consists of 3,000 accounts, only a few of which manage repositories with malicious code or links to malware. The links point partly to external websites and partly to the release area of ​​other GitHub repositories containing malicious code. It is probably password protected so that GitHub’s scanners cannot detect the malware.

However, most accounts do not contain repositories with content, but instead serve to boost the reputation of malware repositories so that they appear like regular open source repositories.

An important GitHub metric is the number of stars displayed above a repository. Many stars indicate that many users are already interested in the content. The name Stargazer is probably aimed at this very “starring”, as awarding stars is called in English. Stars distributed by ghost accounts give a good reputation to the repository.

Not only that: apparently some accounts have also forked the repository, which also indicates a high level of interest in the code. Unlike the attack revealed in March, which used countless cloned repositories to distribute malware, Stargazer Goblin is likely to rely largely on (supposed) quality through the stars rather than quantity.

Check Point estimates the number of ghost accounts based on the pattern it finds: a simple username followed by a number. Both are repeated in the corresponding readme. The repositories are empty, except for an additional license file.

The young company Nothing receives the Red Dot Awards 2024 and the iF Design Awards

Tailored to fit

Attackers use templates in their repositories that they customize for different platforms such as TikTok, Twitch, and Instagram and distribute across different repositories. Personal templates with cheats for gamers or tools to increase the number of followers for influencers attract different target groups.

They use different malware families. In one wave of attacks, the network distributed the Atlantida Stealer, which, among other things, steals credentials and cryptocurrencies. According to Check Point Research, 1,300 people fell victim to the attack in four days. Links to GitHub repositories were probably distributed via Discord at the time. The attackers used compromised WordPress sites as a stopover. Another attack with the Rhadamanthes malware reached 1,000 users in two weeks. The network has also distributed the Lumma Stealer, Redline, and RisePro.

Security researchers suspect that Stargazer Goblin also used the attacks to obtain access data for GitHub and other platforms such as YouTube, Discord, Instagram, X and Facebook, and to incorporate the hijacked accounts into its ghost account network.

Stargazer as a service provider

Stargazer Goblin also offers the Ghost Account Network as a service. In early July, Check Point Research found an advertisement in English and Russian on a dark web forum listing starring and other services, primarily for GitHub repositories: 100 stars cost $10. There are also extended offers for forks, watches, and cloning repositories.

more information can be found in the Checkpoint Security Blog. one more Article from Check Point Research Goes in-depth into the details of each attack.

(RME)