GitHub feedback abused to push password stealing malware masked as fixes
GitHub is being abused to distribute the Lumma Stealer records-stealing malware as fraudulent fixes posted in mission feedback.
The advertising and marketing campaign became once first reported by a contributor to the teloxide rust library, who renowned on Reddit that they acquired 5 tons of feedback of their GitHub disorders that pretended to be fixes but fill been as a replacement pushing malware.
Further evaluate by BleepingComputer discovered hundreds of equal feedback posted to a giant option of projects on GitHub, all offering fraudulent fixes to tons of of us’s questions.
The answer tells of us to download a password-safe archive from mediafire.com or via rather.ly URL and plod the executable interior it. In the present advertising and marketing campaign, the password has been “changeme” in the general feedback we now fill got viewed.
Reverse engineer Nicholas Sherlock told BleepingComputer that over 29,000 feedback pushing this malware had been posted over a 3-day duration.
Clicking on the hyperlink brings guests to a download web page for a file known as ‘fix.zip,’ which contains just a few DLL files and an executable named x86_64-w64-ranlib.exe.
Running the executable on Any.Speed signifies it’s the Lumma Stealer records-stealing malware.
Lumma Stealer is an evolved records stealer that, when accomplished, makes an attempt to win cookies, credentials, passwords, bank cards, and browsing historical past from Google Chrome, Microsoft Edge, Mozilla Firefox, and tons of Chromium browsers.
The malware might possibly well additionally additionally non-public cryptocurrency wallets, non-public keys, and textual notify material files with names fancy seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, phrases, pockets.txt, *.txt, and *.pdf, as these are inclined to possess non-public crypto keys and passwords.
This records is aloof into an archive and sent aid to the attacker, the place they’ll employ the records in extra assaults or sell it on cybercrime marketplaces.
While GitHub Team has been deleting these feedback as they are detected, of us fill already reported falling for the assault.
For folk that ran the malware, it be valuable to swap the passwords the least bit of your accounts the utilization of a sure password for every situation and migrate cryptocurrency to a brand unusual pockets.
Closing month, Test Point Learn disclosed a equal advertising and marketing campaign by the Stargazer Goblin risk actors, who created a malware Distribution-as-a-Provider (DaaS) from over 3,000 fraudulent accounts on GitHub to push records-stealing malware.
It is unclear if this is the identical advertising and marketing campaign or a brand unusual one performed by tons of risk actors.