TECHNOLOGY

GitHub feedback abused to push password stealing malware masked as fixes

GitHub

GitHub is being abused to distribute the Lumma Stealer records-stealing malware as fraudulent fixes posted in mission feedback.

The advertising and marketing campaign became once first reported by a contributor to the teloxide rust library, who renowned on Reddit that they acquired 5 tons of feedback of their GitHub disorders that pretended to be fixes but fill been as a replacement pushing malware.

Further evaluate by BleepingComputer discovered hundreds of equal feedback posted to a giant option of projects on GitHub, all offering fraudulent fixes to tons of of us’s questions.

The answer tells of us to download a password-safe archive from mediafire.com or via rather.ly URL and plod the executable interior it. In the present advertising and marketing campaign, the password has been “changeme” in the general feedback we now fill got viewed.

Reverse engineer Nicholas Sherlock told BleepingComputer that over 29,000 feedback pushing this malware had been posted over a 3-day duration.

Fake answer to a GitHub issue pushing the LummaStealer malware
Counterfeit reply to a GitHub topic pushing the Lumma Stealer malware

Supply: Andrey Brusnik

Clicking on the hyperlink brings guests to a download web page for a file known as ‘fix.zip,’ which contains just a few DLL files and an executable named x86_64-w64-ranlib.exe.

Archive containing the LummaStealer installer
Archive containing the Lumma Stealer installer

Supply: BleepingComputer

Running the executable on Any.Speed signifies it’s the Lumma Stealer records-stealing malware.

Lumma Stealer is an evolved records stealer that, when accomplished, makes an attempt to win cookies, credentials, passwords, bank cards, and browsing historical past from Google Chrome, Microsoft Edge, Mozilla Firefox, and tons of Chromium browsers.

The malware might possibly well additionally additionally non-public cryptocurrency wallets, non-public keys, and textual notify material files with names fancy seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, phrases, pockets.txt, *.txt, and *.pdf, as these are inclined to possess non-public crypto keys and passwords.

This records is aloof into an archive and sent aid to the attacker, the place they’ll employ the records in extra assaults or sell it on cybercrime marketplaces.

While GitHub Team has been deleting these feedback as they are detected, of us fill already reported falling for the assault.

For folk that ran the malware, it be valuable to swap the passwords the least bit of your accounts the utilization of a sure password for every situation and migrate cryptocurrency to a brand unusual pockets.

Closing month, Test Point Learn disclosed a equal advertising and marketing campaign by the Stargazer Goblin risk actors, who created a malware Distribution-as-a-Provider (DaaS) from over 3,000 fraudulent accounts on GitHub to push records-stealing malware.

It is unclear if this is the identical advertising and marketing campaign or a brand unusual one performed by tons of risk actors.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button