A threat actor known as Stargazer Goblin has created a network of bogus GitHub accounts to power a Distribution-as-a-Service (DaaS) that distributes a variety of information-stealing malware, earning them $100,000 in illegal profits over the past year.
The network, which includes more than 3,000 accounts on a cloud-based code hosting platform, spans thousands of repositories used to share malicious links or malware, per Check Point, which has dubbed it the “Stargazers Ghost Network.”
Some of the malware families distributed using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with fake accounts also involved in starring, branching, browsing, and subscribing to malicious repositories to give them the appearance of legitimacy .
The network is believed to have been active since August 2022 in some previous form, although DaaS ads were not seen in the dark until early July 2023.
“Threat entities now operate a network of ‘ghost’ accounts that distribute malware via malicious links in their repositories and encrypted archives as releases,” – Security researcher Antonis Terefas explained in an analysis published last week.
“This network not only distributes malware, but also provides a variety of other activities that make ‘ghost’ accounts look like normal users, giving fake legitimacy to their activities and associated storage.”
Different categories of GitHub accounts are responsible for different aspects of the scheme in an attempt to make their infrastructure more resilient to GitHub’s remediation efforts when malicious payloads are flagged on the platform.
This includes accounts that serve a phishing repository template, accounts that provide an image for a phishing template, and accounts that submit malware to the repository as a password-protected archive disguised as jailbreak and game codes.
If the third set of accounts is detected and banned by GitHub, Stargazer Goblin proceeds to update the first account’s phishing repository with a new link to the new active malware release, allowing operators to move forward with minimal disruption.
In addition to liking new releases from multiple repositories and making changes to the README.md files to change the download links, there is evidence that some accounts on the network were previously compromised and the credentials were likely obtained using malware-stealing programs.
“Most often we see Repository and Stargazer accounts unaffected by repository bans and removals, while Commit and Release accounts are usually banned after their malicious repositories are discovered,” said Terefas.
“It is common to find link repositories that contain links to banned release repositories. When this happens, the Commit account associated with the link store updates the malicious link with a new one.”
One campaign discovered by Check Point involves using a malicious link to a GitHub repository, which in turn points to a PHP script hosted on a WordPress site and delivers an HTML application (HTA) file to ultimately launch Atlantida Stealer via the script PowerShell.
Other malware families distributed via DaaS include Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point further noted that the GitHub accounts are part of a larger DaaS solution that manages similar ghost accounts on other platforms such as Discord, Facebook, Instagram, X and YouTube.
“Stargazer Goblin has created a highly sophisticated malware distribution operation that avoids detection because GitHub is considered a legitimate website, bypasses suspicions of malicious activity, and minimizes and recovers from any damage if GitHub breaches their network,” Terefos said.
“Using multiple accounts and profiles that perform a variety of activities, from star-marking to repository hosting, phishing templates, and malicious release hosting, allows the Stargazers Ghost Network to minimize its losses should GitHub take any action to breach their work, as usual only one part of the entire operation is compromised, not all the accounts involved.”
The development takes place against the background of unknown threat actors targeting GitHub repositories, removing their contents and asking victims to contact a user named Gitloker on Telegram in a new extortion operation that has been ongoing since February 2024.
A social engineering attack targets developers with phishing emails sent from “notifications@github.com” to trick them into clicking fake links pretending to work on GitHub, then prompting them to authorize a new OAuth application that wipes all repositories and requires payment in exchange for restoring access.
It also follows Truffle Security’s advisory that sensitive data can be accessed from remote forks, remote repositories, and even private GitHub repositories, urging organizations to take steps to protect against what’s called the Cross Fork Object Reference (CFOR) vulnerability. .
“The CFOR vulnerability occurs when one fork of a repository can access sensitive data from another fork (including data from private and remote forks),” Joe Leon said. “Similar to an insecure direct object reference, in CFOR users provide commit hashes to directly access commit data that would otherwise not be visible to them.”
In other words, a piece of code committed to a public repository can be available forever as long as at least one fork of that repository exists. Additionally, it can also be used to access code committed between the time the internal fork was created and the repository published.
However, it should be noted that these are deliberate design decisions made by GitHub, as noted by company in its own documentation –
- Commits in any repository in the fork network can be accessed from any repository in the same fork network, including the upstream repository
- When you change a private repository to a public repository, all commits to that repository, including any commits made to repositories it’s branched into, will be visible to everyone.
“The average user views the separation of private and public storage as a security boundary and understandably believes that public users cannot access any data that resides in private storage,” Leon said.
“Unfortunately, (…) this is not always true. Moreover, the act of deletion implies the destruction of data. As we saw above, deleting a repository or fork does not mean that your commit data is actually deleted.”