A “multi-faceted campaign” has been observed that uses reputable services such as GitHub and FileZilla to propagate a variety of banking trojans and stealer malware, including Vidar, Atomic (also known as AMOS), Lumma (also known as LummaC2), and Octo, by posing as reliable programmes such as 1Password, Bartender 5, and Pixelmator Pro.
“The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralised command setup — possibly increasing the efficiency of the attacks,” Insikt Group, which owns Recorded Future.
The campaign, according to the cybersecurity company tracking the activity under the name GitCaught, not only exposes the misuse of legitimate internet services to plan cyberattacks, but also the reliance on several malware variants targeting Windows, macOS, and Android to boost the success rate.
Attack chains involve hosting phoney copies of popular software on GitHub through phoney profiles and repositories, with the intention of obtaining sensitive data from infected devices. After that, links to these malicious files are inserted into a number of domains, which are usually shared through SEO poisoning and malvertising operations.
The adversary responsible for the operation, believed to be Commonwealth of Independent States (CIS) threat actors that speak Russian, has also been seen managing and distributing malware via FileZilla servers.
It has been established through additional examination of the disc image files on GitHub and the related infrastructure that the attacks are part of a wider campaign that has been delivering DarkComet RAT, RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and Lumma since at least August 2023.
The fact that victims who visit the phoney application websites are led to payloads hosted on Bitbucket and Dropbox is another noteworthy aspect of the Rhadamanthys infection pathway. This suggests a wider misuse of legitimate services.
This development coincides with the announcement from the Microsoft Threat Intelligence team that the backdoor on macOS known as Activator, codenamed Exodus, is still a “very active threat” that is spread through disc image files that look like cracked versions of genuine software and are used to steal data from Bitcoin-Qt wallet applications and Exodus.
“It prompts the user to let it run with elevated privileges, turns off the macOS Gatekeeper, and disables the Notification Centre,” claimed Google. “It then downloads and launches multiple stages of malicious Python scripts from multiple command-and-control (C2) domains and adds these malicious scripts to the LaunchAgents folder for persistence.”