Bug on screen showing malware distribution with GitHub accounts

Threat Actor Stargazer Goblin Uses Over 3,000 GitHub Accounts for Malware Distribution

Security researchers have discovered a network of over 3,000 GitHub accounts involved in an extensive malware distribution campaign.

The Distribution as a Service (DaaS) operation by a threat actor tracked as “Stargazer Goblin” by Check Point Research operates the “Stargazers Ghost Network” of GitHub Ghost accounts.

Active since August 2022, it promotes social media, gaming, and cryptocurrency tools and distributes various malware, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

Threat actor uses bulk Ghost GitHub accounts to star malicious repositories

The malicious actor uses fake accounts to star, fork, and subscribe to malicious repositories to increase their reputation. Within a “short time,” the study identified over 2,200 malicious GitHub repositories with “Ghost” activities.

“The Stargazers Ghost Network changes the game by providing a malicious repository where a malicious link is “starred” and “verified” by multiple GitHub accounts, thereby supporting its legitimacy,” Check Point Research said. “Our latest calculations suggest there are more than 3,000 Ghost accounts. Considering a campaign of approximately 30 repositories utilizing around 380 Ghost accounts, the total number may be even higher.”

Given the large number of GitHub accounts involved in the deceptive practices, the malicious activity is likely automated.

It remains unclear how the attackers obtained bulk Ghost GitHub accounts. However, Check Point researchers suggested that “many of the accounts in the Stargazers Ghost Network are compromised.” Similarly, other reports have observed threat actors buying and selling GitHub repositories on dark web forums.

Highly effective GitHub malware distribution campaign

The threat actor attaches a README.md file containing a phishing download link to an external repository’s release. To survive GitHub’s takedown, they spread responsibilities across three GitHub accounts.

  1. The first account serves the “phishing” repository template;
  2. The second account provides the phishing image template;
  3. The third account serves the malware as a password-protected archive in a Release.

Since GitHub attempts to detect malicious files or archives, spreading malware in password-protected archives enables the threat actor to evade automated detection.

However, when the third account is detected, “GitHub bans the entire account, repository, and associated releases,” the report stated.

“In response to such actions, Stargazer Goblin updates the first account’s phishing repository with a new link to a new active malicious release. This allows the network to continue operating with minimum losses when a malware-serving account is banned,” the researchers noted.

Similarly, GitHub usually bans Commit and Release accounts “once their malicious repositories are detected,” while Repository and Ghost Stargazer accounts are usually unaffected.

Subsequently, spreading responsibility across numerous GitHub accounts enables the threat actor to quickly fix broken links and update compromised components after takedown activity.

“Using different account roles ensures there is only minimal damage when and if GitHub takes action against accounts or repositories that violated its rules,” the report noted.

Meanwhile, Check Point found that the malware distribution campaign was highly effective in compromising unsuspecting victims.

“The campaigns performed by the Stargazers Ghost Network and malware distributed via this service are extremely successful,” the report stated. “In a short period of time, thousands of victims installed software from what appears to be a legitimate repository without suspecting any malicious intent. The heavily victim-oriented phishing templates allow threat actors to infect victims with specific profiles and online accounts, making the infections even more valuable.”

The malicious repositories use specific tags such as gaming, cryptocurrency, and social media to target specific victim profiles.

“Often, the network utilizes identical tags and images but switches the “targeted audience” from one social media application or cracked software to another, but employing the same template,” the researchers noted.

These tactics often work like a charm. Within 4 days of identifying the Atlantida stealer, which pilfers account credentials, personal identifiable information (PII), and cryptocurrency wallets, the malware had infected 1,300 victims.

Similarly, another malware distribution campaign spreading Rhadamanthys, a multi-layered info-stealer, infected 1,050 victims within two weeks.

The research firm also anticipates that the malware distribution campaign is earning a substantial profit for Stargazer Goblin, who charges $10 for 100 GitHub stars, $50 for 500 stars, and $2 for “aged” repos. The report states that the threat actor earned approximately $8,000 from mid-May to mid-June 2024 and $100,000 throughout the campaign.

Meanwhile, GitHub has taken down about 1,500 repositories and associated accounts, although some 200 accounts are still spreading malware.

GitHub malware distribution campaign extends to social media

The malware distribution campaign is not limited to the Microsoft-owned platform. Check Point researchers observed Ghost accounts operating on other platforms besides GitHub, such as Twitter, YouTube, Discord, Instagram, and Facebook.

“Similar to GitHub, other platforms can be utilized to legitimize malicious phishing and distribute links and malware to victims through posts, repositories, videos, tweets, and channels, depending on the features each platform offers,” the researchers noted.

On social platforms such as Discord, the threat actor promotes malicious repositories as sources of game mods, cracked Windows software such as Adobe Photoshop and VPNs, and trading, cryptocurrency, and AI tools.

In one case, Check Point researcher Antonis Terefos observed a threat actor sharing malicious links on YouTube videos.

“In the YouTube video, the threat actor is seen downloading a password-protected archive from clouds-folder[.]com, extracting it using the password 2424, and then proceeding to execute the installer (Lumma Stealer),” said Terefos.

Given the effort and time required to analyze videos, using YouTube makes it even more challenging to shut down the malware distribution campaign using automation.