Stargazers Ghost: Network of GitHub Accounts Used to Deliver Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Cybersecurity researchers at Check Point have uncovered a sophisticated network of GitHub accounts, dubbed the Stargazers Ghost Network, that has been distributing malware and phishing links since at least June 2023.

This network, operated by a threat actor known as Stargazer Goblin, represents a new and concerning trend in malware distribution on the popular code-hosting platform.

Traditional malware distribution methods, such as email attachments, have become heavily monitored. In response, threat actors have evolved their tactics.

The Stargazers Ghost Network represents a significant advancement in these tactics. It utilizes GitHub, the world’s largest open-source code hosting platform, to distribute malware. This network employs “ghost” accounts that star, fork, and watch malicious repositories, creating the illusion of popularity and trustworthiness.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

The network operates by creating repositories that host malicious links and encrypted archives. These repositories are then starred and forked by other ghost accounts, enhancing their perceived legitimacy.

Stargazers accounts

The malicious links often lead to phishing templates or direct downloads of malware. During a campaign in January 2024, the network distributed Atlantida stealer, a malware designed to steal user credentials and cryptocurrency wallets.

The Stargazers Ghost Network comprises over 3,000 active accounts that engage in activities such as starring, forking, and subscribing to malicious repositories, reads Check Point Research report.

These actions lend an air of legitimacy to the repositories, making them appear as credible projects to unsuspecting users. This network operates as a Distribution as a Service (DaaS), allowing threat actors to share and distribute malicious links and malware efficiently.

Stargazers network

The network’s operations date back to around August 2022, with a significant uptick in activity observed from mid-May to mid-June 2024. During this period, it is estimated that Stargazer Goblin earned approximately $8,000, though the total earnings over the network’s lifespan are believed to be around $100,000.

Stargazers Ghost tactics

  1. Manipulating GitHub Community Tools
  2. Creating Fake Repositories
  3. Automated Engagement
  4. Distribution as a Service (DaaS)
  5. Attacking Legitimate Repositories

Malware Families and Distribution Methods

The Stargazers Ghost Network has been used to distribute a variety of malware, including:

  1. Atlantida Stealer
  2. Rhadamanthys
  3. RisePro
  4. Lumma Stealer
  5. RedLine

These malware types are designed to steal user credentials, cryptocurrency wallets, and other personally identifiable information (PII). The network employs a range of tactics to spread malware, including using malicious links in README.md files and password-protected archives in the Releases section of repositories.

The network’s sophistication lies in its ability to maintain the appearance of legitimacy while distributing malicious content. Accounts within the network perform various roles to ensure smooth operation and quick recovery from any disruptions caused by account bans or repository takedowns.

Stargazers attack chain

For instance, one account may serve the phishing repository template, another provides images for the phishing template, and a third account handles the malware distribution through password-protected archives.

When a malware-serving account is banned, the network swiftly updates the phishing repository with a new link to an active malicious release, minimizing operational downtime. This compartmentalized structure allows the network to adapt quickly and continue its malicious activities with minimal losses.

The discovery of the Stargazers Ghost Network highlights the evolving tactics of threat actors increasingly leveraging legitimate platforms like GitHub for malicious purposes. This network not only poses a significant threat to individual users but also underscores the need for robust cybersecurity measures and vigilant monitoring of platforms used for software distribution.

As a platform, GitHub faces the challenge of balancing its environment’s openness and collaborative nature with the need to protect users from malicious activities.

The Stargazers Ghost Network represents a new frontier in malware distribution, utilizing sophisticated tactics to evade detection and maintain operational efficiency. As threat actors continue to innovate, both platform providers and users must remain vigilant and adopt proactive cybersecurity measures to mitigate the risks posed by such networks.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo