Cybercriminals have launched a campaign in which they are trying to disguise malware as legitimate software on the GitHub portal. This was stated by information security researchers from Recorded Future.
It is known that hackers were operating from the territory of the CIS, and Atomic macOS Stealer (AMOS), Vidar, Lumma and Octo were distributed. Among the white apps used to hide behind the malware were 1Password, Bartender 5, and Pixelmator Pro. The use of a single infrastructure for all stealers is noted, which, according to the authors, should have increased the effectiveness of cross-platform attacks.
During the study, analysts were able to identify 12 sites at once that advertised software for macOS, but ultimately led to a GitHub profile with the nickname papinyurii33, which offered a disguised AMOS stealer for download. He also took part in the distribution of the Octo banking trojan for Android and a number of stealers for Windows. The account itself was created on January 16, 2024 and contained only two repositories. No changes have been made to them since March 7.
Interestingly, several IP addresses were associated with this campaign, and four of them appeared in the DarkComet RAT infrastructure and the FileZilla FTP server. This server, in turn, participated in the distribution of stealers Lumma and Vidar. And from August 2023 to February 2024, victims of the Raccoon stealer were similarly infected.
It is known that hackers were operating from the territory of the CIS, and Atomic macOS Stealer (AMOS), Vidar, Lumma and Octo were distributed. Among the white apps used to hide behind the malware were 1Password, Bartender 5, and Pixelmator Pro. The use of a single infrastructure for all stealers is noted, which, according to the authors, should have increased the effectiveness of cross-platform attacks.
During the study, analysts were able to identify 12 sites at once that advertised software for macOS, but ultimately led to a GitHub profile with the nickname papinyurii33, which offered a disguised AMOS stealer for download. He also took part in the distribution of the Octo banking trojan for Android and a number of stealers for Windows. The account itself was created on January 16, 2024 and contained only two repositories. No changes have been made to them since March 7.
Interestingly, several IP addresses were associated with this campaign, and four of them appeared in the DarkComet RAT infrastructure and the FileZilla FTP server. This server, in turn, participated in the distribution of stealers Lumma and Vidar. And from August 2023 to February 2024, victims of the Raccoon stealer were similarly infected.
