A sophisticated cyber campaign has been exploiting legitimate services like GitHub and FileZilla to distribute various types of malware, including stealer malware and banking trojans like Atomic (also known as AMOS), Vidar, Lumma (also known as LummaC2), and Octo. These attacks disguise malware as trusted software such as 1Password, Bartender 5, and Pixelmator Pro.
“The variety of malware suggests a strategy aimed at multiple platforms, with shared command and control infrastructure enhancing the efficiency of the attacks,” reported the security researcher.
The cybersecurity firm, tracking the campaign under the name GitCaught, highlighted that the attacks not only misuse legitimate internet services but also employ a range of malware targeting Android, macOS, and Windows to boost success rates.
The attack process involves creating fake profiles and repositories on GitHub, hosting counterfeit versions of popular software to steal sensitive data from compromised devices. Links to these malicious files are embedded in various domains and distributed via malvertising and SEO poisoning campaigns.
The threat actors, suspected to be Russian-speaking and from the Commonwealth of Independent States (CIS), also use FileZilla servers for managing and delivering malware.
Further analysis revealed that the attacks are part of a broader campaign delivering RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT since at least August 2023.
The Rhadamanthys infection method is particularly notable as victims are redirected to payloads hosted on Bitbucket and Dropbox from fake application websites, indicating a widespread abuse of legitimate services.
Additionally, Microsoft’s Threat Intelligence team reported that the macOS backdoor named Activator is still a “very active threat.” Distributed via disk image files posing as cracked software, it steals data from Exodus and Bitcoin-Qt wallet applications.
“It requests elevated privileges from the user, disables macOS Gatekeeper and Notification Center, then downloads and launches multiple stages of malicious Python scripts from various command-and-control domains, adding these scripts to the LaunchAgents folder for persistence,” explained Microsoft.
To defend against such malware campaigns, users should be cautious when downloading software and verify the authenticity of the source. Regularly updating security software and enabling real-time protection can help detect and block malicious files. Educating users about the dangers of downloading from untrusted sources and the importance of scrutinizing URLs can prevent accidental infections. Additionally, employing network monitoring tools can help detect unusual activities linked to malware.