Hacker network distributing malware on GitHub for over a year
US cybersecurity company Check Point, has unearthed a network of approximately 3,000 "ghost" accounts on GitHub, reportedly being used to promote malware and phishing links. The research indicates that a cybercriminal known as "Stargazer Goblin" has been hosting malicious code repositories on GitHub since at least June 2023. Antonis Terefos, a malware reverse engineer at Check Point who discovered this activity, explains these false accounts are used to "star," "fork," and "watch" malicious pages, making them appear popular and genuine.
Exploiting GitHub's community tools for malicious activities
The cybercriminal, "Stargazer Goblin," has been exploiting GitHub's community tools to increase the visibility of these malicious repositories. Terefos points out that this method of operation is smart as it leverages how GitHub operates. He also notes that he has not seen a network of fake accounts operating in this manner on the platform before. The coordination for buying and selling repositories and starring is conducted on a cybercrime-linked Telegram channel and criminal marketplaces.
'Stargazers Ghost Network' targets Windows users
The network, dubbed the "Stargazers Ghost Network" by Check Point, has been disseminating malicious GitHub repositories offering downloads of gaming, social media, and cryptocurrency tools. These pages often claim to provide code to run a VPN or license a version of Adobe's Photoshop. The research indicates these are primarily targeting Windows users potentially searching for free apps/tools online. The operator behind the network charges other hackers for their services in what Check Point calls "distribution as a service."
GitHub takes action against malicious network
Alexis Wales, vice president of security operations at GitHub, states that they have disabled suspected user accounts in accordance with GitHub's Acceptable Use Policies. These policies prohibit posting content that directly supports malware campaigns or unlawful active attack causing technical harms. Check Point research suggests the network could have started operations as early as August 2022 and may have made as much as $100,000.
Cybersecurity experts warn users of malicious code
Jake Moore, global cybersecurity adviser at security firm Eset, warns that users of GitHub, especially inexperienced ones, can easily download malicious code often resulting from fictitious reviews and starring. Terefos has seen instances where a legitimate code repository has been changed by the threat actor into a malicious one, potentially using stolen credentials. He believes the activity of the network is likely automated and may be difficult for GitHub to identify as it's intended to look like genuine user behavior.
'Ghost' network potentially more encompassing than initially thought
Terefos has automated the search for accounts linked to the network and can identify them based on common features such as repositories using similar templates and tags. He also identified a YouTube "ghost" account sharing malicious links via video, indicating that the network could be more encompassing. Terefos concludes by saying, "I think this is not the whole picture." This suggests that there may be more to uncover about this malicious network's operations.
