Introduction
A cybercriminal entity, identified as Stargazer Goblin, has orchestrated an intricate malware distribution operation through a network of inauthentic GitHub accounts. This Distribution-as-a-Service (DaaS) network has facilitated the spread of various information-stealing malware families, enabling the perpetrators to amass over $100,000 in illicit profits within the past year. This article delves into the structure of the Stargazer Goblin network, its operational methods, and the implications of its activities on GitHub and the broader cybersecurity landscape.
The Stargazers Ghost Network
The Stargazer Goblin network, also known as the "Stargazers Ghost Network," consists of more than 3,000 fraudulent accounts on GitHub. These accounts are used to host thousands of repositories, which are instrumental in distributing malicious links and malware. According to cybersecurity firm Check Point, the network has been active since at least August 2022, with its first advertisement on the dark web surfacing in July 2023.
Malware Distribution Methods
The Stargazer Goblin network propagates several well-known malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. The fraudulent accounts engage in various activities to lend legitimacy to their repositories, such as starring, forking, watching, and subscribing to these repositories. This strategy is designed to make the repositories appear legitimate and trustworthy to unsuspecting users.
Operational Structure and Resilience
The network's operational structure is highly organized, with different categories of GitHub accounts assigned distinct roles. Some accounts serve as phishing repository templates, others provide images for the phishing templates, and a third set is responsible for pushing malware to the repositories. The malware is often disguised as password-protected archives of cracked software or game cheats.
To enhance resilience against GitHub's takedown efforts, the network employs a rotation strategy. If an account hosting a malicious repository is detected and banned, the operators swiftly update the phishing repository with a new link, ensuring continuous operation with minimal disruption.
Social Engineering and Extortion Tactics
In addition to distributing malware, Stargazer Goblin also engages in social engineering attacks. These include phishing emails sent from spoofed GitHub notifications, designed to trick developers into authorizing malicious OAuth apps. Once authorized, these apps can wipe the contents of GitHub repositories, followed by extortion demands for restoring access.
GitHub Vulnerabilities and Security Concerns
The emergence of the Stargazer Goblin network coincides with broader concerns about GitHub's security infrastructure. A recent advisory from Truffle Security highlighted vulnerabilities in GitHub's handling of deleted repositories and forks, known as Cross Fork Object Reference (CFOR) vulnerabilities. These vulnerabilities allow unauthorized access to sensitive data, even after a repository or fork is deleted.
Conclusion
The Stargazer Goblin network represents a sophisticated and persistent threat to GitHub and its users. By leveraging a complex network of fraudulent accounts and exploiting GitHub's infrastructure, the attackers have successfully evaded detection and maintained their illicit activities. The rise of such advanced DaaS operations underscores the need for enhanced security measures and vigilance within the developer community to protect against evolving cyber threats.
0 Comments