Father
Professional
- Messages
- 2,602
- Reaction score
- 854
- Points
- 113
The campaign shows why it is harmful to pirate on Apple equipment.
According to an Insikt Group report, cybercriminals are abusing GitHub and FileZilla to deliver infostilers and Trojans disguised as macOS programs-1Password, Bartender 5, and Pixelmator Pro. The campaign is called GitCaught.
Experts note that the presence of multiple malware variants indicates a cross-platform targeting strategy (Android, macOS, and Windows), while the C2 infrastructure indicates centralized command management, which increases the effectiveness of attacks.
The chain of attacks includes the creation of fake accounts and repositories on GitHub, which host fake versions of legitimate programs that are designed to steal confidential data from infected devices. Links to malicious files are then embedded in various domains that are distributed through malicious advertising and SEO campaigns.
Attackers use FileZilla servers to manage and deliver malware. Additional analysis of disk images on GitHub and related infrastructure showed that the attacks are part of a larger campaign aimed at delivering programs such as RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT from at least August 2023.
Particularly noteworthy is the Rhadamanthys chain of infection, where victims who hit fake app download sites are redirected to Bitbucket and Dropbox with malicious files, suggesting a broader abuse of legitimate services.
According to an Insikt Group report, cybercriminals are abusing GitHub and FileZilla to deliver infostilers and Trojans disguised as macOS programs-1Password, Bartender 5, and Pixelmator Pro. The campaign is called GitCaught.
Experts note that the presence of multiple malware variants indicates a cross-platform targeting strategy (Android, macOS, and Windows), while the C2 infrastructure indicates centralized command management, which increases the effectiveness of attacks.
The chain of attacks includes the creation of fake accounts and repositories on GitHub, which host fake versions of legitimate programs that are designed to steal confidential data from infected devices. Links to malicious files are then embedded in various domains that are distributed through malicious advertising and SEO campaigns.
Attackers use FileZilla servers to manage and deliver malware. Additional analysis of disk images on GitHub and related infrastructure showed that the attacks are part of a larger campaign aimed at delivering programs such as RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT from at least August 2023.
Particularly noteworthy is the Rhadamanthys chain of infection, where victims who hit fake app download sites are redirected to Bitbucket and Dropbox with malicious files, suggesting a broader abuse of legitimate services.
