Threat Database Malware Stargazers Ghost Network

Stargazers Ghost Network

A threat actor identified as Stargazer Goblin has created a network of fake GitHub accounts to run a Distribution-as-a-Service (DaaS) operation that distributes various types of information-stealing malware, earning them $100,000 in illegal profits over the past year.

This network, known as the Stargazers Ghost Network, includes more than 3,000 accounts on the cloud-based code hosting platform and spans thousands of repositories used to share malicious links and malware.

Malware families spread through this network include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. Additionally, the fake accounts engage in activities such as starring, forking, watching, and subscribing to these malicious repositories to create an appearance of legitimacy.

Malicious Accounts Posing as Normal Users

The network is believed to have been active since August 2022 in some preliminary form, although an advertisement for the DaaS wasn't spotted in the dark until early July 2023. The threat actors now operate a network of 'Ghost' accounts that distribute malware via malicious links on their repositories and encrypted archives as release.

This network not only distributes malware but also provides various other activities that make these 'Ghost' accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories.

Different categories of GitHub accounts are responsible for distinct aspects of the scheme in an attempt to make their infrastructure more resilient to takedown efforts by GitHub when malicious payloads are flagged on the platform.

Different Types of Accounts Utilized by the Threat Actors

The network employs various types of accounts for different functions: some accounts manage phishing repository templates, others supply images for these templates, and some push malware to the repositories in password-protected archives disguised as cracked software or game cheats.

If GitHub detects and bans the third set of accounts, Stargazer Goblin updates the phishing repository from the first set with a new link to an active malicious release, minimizing operational disruption.

In addition to liking new releases from multiple repositories and modifying download links in the README.md files, evidence suggests that some accounts in the network may have been compromised, with their credentials likely obtained through stealer malware.

Researchers typically find that Repository and Stargazer accounts often remain unaffected by bans and repository takedowns, while Commit and Release accounts are usually banned once their malicious repositories are discovered. It’s also common to see Link-Repositories that contain links to banned Release-Repositories. When this happens, the associated Commit account updates the malicious link to a new one.

Various Malware Threats Deployed

One of the campaigns uncovered by experts involves a malicious link leading to a GitHub repository. This repository directs users to a PHP script hosted on a WordPress site, which then delivers an HTML Application (HTA) file to execute Atlantida Stealer via a PowerShell script.

In addition to Atlantida Stealer, the DaaS also distributes other malware families, including Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Experts have observed that these GitHub accounts are part of a broader DaaS network that operates similar 'Ghost' accounts across other platforms such as Discord, Facebook, Instagram, X, and YouTube.

Conclusion

Stargazer Goblin has developed a highly sophisticated malware distribution operation that cleverly evades detection by leveraging GitHub's reputation as a legitimate site. This approach helps avoid suspicion of malicious activities and reduces damage when GitHub intervenes.

By using a variety of accounts and profiles for different tasks—such as starring repositories, hosting them, committing phishing templates, and hosting malicious releases—the Stargazers Ghost Network can limit their losses. When GitHub disrupts their operations, it typically affects only a part of the network, allowing the rest of their infrastructure to continue functioning with minimal impact.

Trending

Most Viewed

Loading...