A sophisticated and multi-pronged offensive has come to light, leveraging legitimate platforms such as GitHub and FileZilla to disseminate an assortment of stealer malware and banking trojans, including Atomic (also known as AMOS), Vidar, Lumma (alternatively LummaC2), and Octo, by masquerading as reputable applications like 1Password, Bartender 5, and Pixelmator Pro.
“The detection of diverse malware variants implies a comprehensive cross-platform targeting methodology, while the shared C2 infrastructure indicates a unified command scheme — potentially enhancing the attacks’ effectiveness,” Recorded Future’s Insikt Group articulated in a detailed analysis.
The cybersecurity entity, monitoring this activity under the codename GitCaught, emphasized that this campaign not only underscores the exploitation of legitimate internet services to conduct cyber incursions but also highlights the deployment of multiple malware strains aiming at Android, macOS, and Windows systems to amplify the probability of successful intrusions.
The modus operandi includes the utilization of spurious profiles and repositories on GitHub, hosting counterfeit versions of renowned software with the intent to exfiltrate sensitive data from infected devices. Hyperlinks to these malicious files are subsequently integrated into numerous domains, typically propagated through malvertising and SEO manipulation strategies.
The operators behind this nefarious scheme, believed to be Russian-speaking cybercriminals from the Commonwealth of Independent States (CIS), have also been detected employing FileZilla servers for the orchestration and distribution of malware.
In-depth scrutiny of the disk image files on GitHub and the interconnected infrastructure has revealed that these assaults are part of a broader initiative aimed at delivering RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since at least August 2023.
The infection route of Rhadamanthys is particularly notable, as victims who navigate to the counterfeit application websites are rerouted to payloads hosted on Bitbucket and Dropbox, indicating a more extensive misuse of legitimate services.
This development coincides with Microsoft Threat Intelligence’s report that the macOS backdoor, codenamed Activator, remains a “highly active menace,” disseminated via disk image files impersonating cracked versions of legitimate software, siphoning data from Exodus and Bitcoin-Qt wallet applications.
“It prompts the user to grant elevated privileges, disables macOS Gatekeeper, and deactivates the Notification Center,” the tech conglomerate explained. “Subsequently, it downloads and initiates multiple stages of pernicious Python scripts from various command-and-control (C2) domains and incorporates these malevolent scripts into the LaunchAgents folder for persistence.”