Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Do not rush to use the advice of strangers if you have problems.
GitHub is used to distribute the Lumma Stealer under the guise of fake patches posted in the project's comments.
The campaign was reported by one of the members of the teloxide library. In the discussions of the developer's GitHub project, 5 comments appeared, which were presented as fixes, but in fact distributed malware.
Additional analysis revealed that similar comments were left on thousands of other projects on GitHub. All comments contained "solutions" to the problems, prompting users to download a password-protected archive from the mediafire.com website or the short link "bit.ly" and run the executable file in the archive. In all cases, the password for the archive was the same — "changeme".
'Problem solution' in GitHub comments with malicious link
According to reverse engineer Nicholas Sherlock, more than 29,000 comments with malicious links were posted in 3 days. When users clicked on the link, they were taken to the download page of the "fix.zip" file, which contained several DLL libraries and the executable file "x86_64-w64-ranlib.exe". Running an executable file on Any.Run led to the activation of the Lumma Stealer malware.
Archive containing Lumma Stealer installer
The Lumma Stealer is an advanced infostealer that, once launched, tries to steal cookies, credentials, passwords, credit card data, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based browsers.
In addition, the malware is capable of stealing cryptocurrency wallets, private keys, and text files with names like seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, as well as files with .txt and .pdf extensions, as they may contain private keys and passwords. The collected data is archived and sent to attackers, who can use it for further attacks or sell it on cybercriminal markets.
Despite efforts by GitHub staff to remove such comments, many users have already been affected by the attack. Those who accidentally run malware are advised to immediately change the passwords on all their accounts, using unique passwords for each site, as well as transfer cryptocurrency to a new wallet.
In July, Check Point Research reported on a similar campaign organized by the Stargazer Goblin group, which used more than 3,000 fake accounts on GitHub to distribute stealer as part of a Distribution-as-a-Service (DaaS) scheme. However, it is not yet clear whether the two campaigns are related or organized by different groups.
Source
GitHub is used to distribute the Lumma Stealer under the guise of fake patches posted in the project's comments.
The campaign was reported by one of the members of the teloxide library. In the discussions of the developer's GitHub project, 5 comments appeared, which were presented as fixes, but in fact distributed malware.
Additional analysis revealed that similar comments were left on thousands of other projects on GitHub. All comments contained "solutions" to the problems, prompting users to download a password-protected archive from the mediafire.com website or the short link "bit.ly" and run the executable file in the archive. In all cases, the password for the archive was the same — "changeme".
'Problem solution' in GitHub comments with malicious link
According to reverse engineer Nicholas Sherlock, more than 29,000 comments with malicious links were posted in 3 days. When users clicked on the link, they were taken to the download page of the "fix.zip" file, which contained several DLL libraries and the executable file "x86_64-w64-ranlib.exe". Running an executable file on Any.Run led to the activation of the Lumma Stealer malware.
Archive containing Lumma Stealer installer
The Lumma Stealer is an advanced infostealer that, once launched, tries to steal cookies, credentials, passwords, credit card data, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based browsers.
In addition, the malware is capable of stealing cryptocurrency wallets, private keys, and text files with names like seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, as well as files with .txt and .pdf extensions, as they may contain private keys and passwords. The collected data is archived and sent to attackers, who can use it for further attacks or sell it on cybercriminal markets.
Despite efforts by GitHub staff to remove such comments, many users have already been affected by the attack. Those who accidentally run malware are advised to immediately change the passwords on all their accounts, using unique passwords for each site, as well as transfer cryptocurrency to a new wallet.
In July, Check Point Research reported on a similar campaign organized by the Stargazer Goblin group, which used more than 3,000 fake accounts on GitHub to distribute stealer as part of a Distribution-as-a-Service (DaaS) scheme. However, it is not yet clear whether the two campaigns are related or organized by different groups.
Source
