Security researchers have uncovered a secret network of around 3,000 “ghost” accounts on GitHub operated by the cybercriminal group known as Stargazer Goblin, under the name “Stargazers Ghost Network.”

Description

This group has been distributing various types of malware, including Atlantida Stealer [3] [5] [7] [8], Rhadamanthys [2] [5] [6] [7] [8], and Lumma Stealer [6], through repositories on GitHub [2] [5]. Stargazer Goblin has generated over $100,000 in illicit profits since August 2022 by sharing malicious links and malware through these accounts. The network charges other hackers for its services and offers various types of malware [6], such as RisePro, through its operations on GitHub and cybercrime forums [6]. In early July 2023 [2], an advertisement for Distribution-as-a-Service (DaaS) was spotted within the network [2], indicating a sophisticated operation [4]. Stargazer Goblin utilizes different categories of accounts on GitHub to make their infrastructure more resilient to takedown efforts and has expanded their operations to platforms like Discord, Facebook [2], Instagram [2], and YouTube to avoid detection. Additionally, unknown threat actors have been targeting GitHub repositories [2], wiping their contents [2], and extorting victims to contact a user named Gitloker on Telegram [2]. Truffle Security has issued an advisory regarding a Cross Fork Object Reference (CFOR) vulnerability on GitHub [2], posing a risk to organizations and developers [2]. Security researcher Antonis Terefos recommends implementing advanced cybersecurity measures like darknet monitoring and multi-factor authentication to protect against such threats [8]. Check Point Research estimates that the network earned around $8,000 in profits from mid-May to mid-June 2024 [7], with total profits likely exceeding $100,000 [7]. The network creates an illusion of legitimacy through high numbers of “stars” and interactions with repositories [7], often containing phishing templates with malicious download links [7]. In one campaign [7], Atlantida Stealer infected over 1,300 victims in less than four days [7], likely shared through platforms like Discord targeting users interested in increasing social media followers [7]. The use of GitHub for malware distribution is concerning due to its large user base [7], with potential impacts including ransomware infections [7], stolen credentials [7], and compromised cryptocurrency wallets [7]. A similar campaign was identified on YouTube [7], indicating a shift in malware Distribution as a Service approach to leverage popular platforms for covert infections [7], with the GitHub network part of a wider malicious distribution scheme [7]. Stargazer Goblin distributes malware through ‘Ghost’ accounts on GitHub [1], which appear as normal users to lend fake legitimacy to their actions [1]. These accounts include those serving phishing repository templates [1], providing images for phishing templates [1], and pushing malware disguised as cracked software and game cheats in password-protected archives [1]. When the accounts pushing malware are banned [1], Stargazer Goblin updates the phishing repository with new links to continue their malicious activities with minimal disruption [1]. The network utilizes multiple accounts for different activities [1], such as starring repositories [1], committing changes to README.md files [1], and hosting malicious releases [1], to minimize losses when GitHub takes action against them [1]. Stargazer Goblin [1] [2] [3] [4] [5] [6] [7] [8], a threat actor [2] [3] [5] [7], has been using GitHub accounts to distribute malware through its Distribution-as-a-Service network called “Stargazers Ghost Network” [3]. This network consists of over 3,000 active Ghost accounts and primarily distributes infostealers like RedLine [3], Lumma Stealer [2] [3] [6] [7], and Atlantida Stealer [2] [3] [5] [6] [7] [8]. The malware is hosted on GitHub repositories that are either password protected or linked to compromised WordPress sites [3]. The Ghost accounts have specific roles to ensure the resilience of the network [3], with one hosting the malware repository [3], one promoting it [3], and one hosting a repository with the link to the malware [3]. The malicious repositories use project names and tags related to popular interests to attract victims [3]. Despite GitHub’s actions against these repositories [3], over 200 are still active [3]. Users are advised to be cautious when downloading files or clicking links from GitHub repositories promoted via secondary sources like YouTube or social media [3].

Conclusion

The distribution of malware through GitHub poses significant risks, including ransomware infections [4] [7], stolen credentials [7], and compromised cryptocurrency wallets [7]. To mitigate these threats, advanced cybersecurity measures like darknet monitoring and multi-factor authentication are recommended [8]. The use of popular platforms like GitHub and YouTube for covert infections highlights the need for increased vigilance and security awareness among users. The evolving tactics of cybercriminal groups like Stargazer Goblin underscore the importance of proactive cybersecurity measures to protect against emerging threats.

References

[1] https://cyber.vumetric.com/security-news/2024/07/29/stargazer-goblin-creates-3000-fake-github-accounts-for-malware-spread/
[2] https://thehackernews.com/2024/07/stargazer-goblin-creates-3000-fake.html
[3] https://www.lexology.com/library/detail.aspx?g=81159d16-f4d3-402f-a7b9-67aa7920b12e
[4] https://securityonline.info/inside-the-operations-of-stargazer-goblin-unveiling-the-malicious-repositories/
[5] https://www.bankinfosecurity.com/github-network-fuels-malware-distribution-operation-a-25877
[6] https://www.yahoo.com/news/secretive-network-exploits-github-spread-110000882.html
[7] https://betanews.com/2024/07/26/microsoft-owned-github-is-haunted-by-ghost-accounts-spreading-malware/
[8] https://foresiet.com/blog/stargazer-goblins-fake-github-accounts-and-malware-distribution-tactics