Friend
Professional
- Messages
- 2,653
- Reaction score
- 848
- Points
- 113
Malware distributors have begun to use a new way to send malicious emails on behalf of the security team on GitHub. The mailing is aimed at encouraging maintainers and developers using the Windows platform to take actions that lead to the installation of malware on their systems. The method is interesting because the emails come from real GitHub mail servers and, if you don't pay attention to the little things, resemble real notifications.
To send emails from GitHub servers, attackers post a message in the "issues" section of the attacked project on GitHub about the detection of a security-related problem, but instead of describing the essence of the vulnerability, they add text stylized as a warning from the Github Security Team. Project developers are sent an email notifying them of a new "issues" message, which doesn't look like a message from an outsider, but like a notification from GitHub itself. In order to prevent developers from noticing suspicious activity on the GitHub page, the created issue is immediately deleted.
The text of the message indicates that additional information about the identified problem can be obtained on the github-scanner.com website. This site was created by cybercriminals and uses a delightfully simple and naïve method to organize the launch of malware on the victim's system - when the site is opened, it is asked to confirm that the login was made by a real user, and not by a bot, which asks you to first agree to pass the check, and then press the keyboard shortcuts "Windows+R", "Ctrl+V" and Enter. When you click the agree button, the command to download and run the malicious application using PowerShell is copied to the clipboard, and when you press keyboard shortcuts, the command entry window opens, where the malicious command is pasted and executed from the clipboard.
If the command is executed, the "LUMMASTEALER" malware is installed on the user's system, which searches for and sends confidential data to the attackers' server, such as access keys, crypto wallets, saved passwords and session cookies from browsers.
[/CENTER]
To send emails from GitHub servers, attackers post a message in the "issues" section of the attacked project on GitHub about the detection of a security-related problem, but instead of describing the essence of the vulnerability, they add text stylized as a warning from the Github Security Team. Project developers are sent an email notifying them of a new "issues" message, which doesn't look like a message from an outsider, but like a notification from GitHub itself. In order to prevent developers from noticing suspicious activity on the GitHub page, the created issue is immediately deleted.
The text of the message indicates that additional information about the identified problem can be obtained on the github-scanner.com website. This site was created by cybercriminals and uses a delightfully simple and naïve method to organize the launch of malware on the victim's system - when the site is opened, it is asked to confirm that the login was made by a real user, and not by a bot, which asks you to first agree to pass the check, and then press the keyboard shortcuts "Windows+R", "Ctrl+V" and Enter. When you click the agree button, the command to download and run the malicious application using PowerShell is copied to the clipboard, and when you press keyboard shortcuts, the command entry window opens, where the malicious command is pasted and executed from the clipboard.
If the command is executed, the "LUMMASTEALER" malware is installed on the user's system, which searches for and sends confidential data to the attackers' server, such as access keys, crypto wallets, saved passwords and session cookies from browsers.
