This investigation uncovered a large-scale campaign involving backdoored GitHub repositories targeting game cheaters and inexperienced cybercriminals. The threat actor, possibly linked to a Distribution-as-a-Service operation, uses multiple types of backdoors and a convoluted infection chain leading to RATs and infostealers. The campaign involves automated commits, obfuscation techniques, and complex payloads. Researchers found over 100 malicious repositories with distinct contributor roles, suggesting an automated framework. The eventual payload includes AsyncRAT, Remcos, and Lumma Stealer. The threat actor uses Telegram for notifications and various paste sites for hosting malicious code. This case highlights the complexity of modern cyber threats and the importance of cautious approaches to open-source repositories. Author: AlienVault
Related Tags:
T1553.004
T1136.001
T1027.001
T1059.005
T1059.007
T1059.006
T1027.002
T1070.004
T1056.001
Associated Indicators:
23EDA28B82BAAC326C5878B67510E453603E68E3DFA5DFABD92B145CF95A3E76
03E1AD603D31B6B116CE0F459986791EB661D5245F9B52E278CD005EC3E081A4
A3039BDF365755C334C8BF4D7F1792B066060DAF8A16269659582D2458A7CAF7
2B13B1B778356D779ABCEF5FA6150DA9CBA9520231A0775218BF6C7B466327DC
BCCA9DE329754C6719B4829919DCB0603F8A5C29A36AB83F9D88A5AA2D00E2D6
EF71DC67AD8DE97B39E2C98580E35402AE7DFC8F92015C1F9F689E7F2F1177AB
11C429B0CE110D4E9380F5A520A682C633E342C1D20538FF74869C0FE3E6E3AF
B27F694C974B44FE2F4A8A25680997DB574FA35686C30FA4C4DC9DD4EC40005E
8A6237AC9A90914D96490865D784A2D712AD3D3361A3D50893D33B75B865FBB5