Gitgub Campaign Attacking GitHub Users To Steal Login Credentials

⁤Threat actors often target GitHub users due to the plenty of valuable code repositories and sensitive information stored on the platform. ⁤

However, the collaborative nature of ⁤GitHub makes it an exceptional target for surveillance by threat actors seeking to gather intelligence on organizations and their development practices. 

Cybersecurity analysts at G Data Defense recently discovered that threat actors are actively attacking GitHub users to steal login credentials via the Gitgub campaign.

Gitgub Campaign Attacking GitHub Users

RisePro employs encrypted strings and bloated installers crashing reverse-engineering tools. “Gitgub” exfiltrated over 700 data archives to Telegram.

13 repos from this RisePro stealer campaign featured the README lures. While the fake green Unicode circles mimicked build statuses for recency illusion.

Red and green circles usually indicate real build outcomes on GitHub.

The following download link remains the same across repos:-

hxxps://site/INSTALLER%20PASSWORD.rar

The user unpacks nested archives with “GIT1HUB1FREE” password. While the Installer_Mega_v0.7.4t.msi is the first executable.

Orca shows it unpacks the next stage using the “LBjWCsXKUz1Gwhg” password, and the final payload is “Installer-Ultimate_v4.3e.9b.exe.

The Installer-Ultimate_v4.3e.9b.exe is 699MB and it crashes the analysts’ tools. PortexAnalyzer shows non-trivial bloat with high entropy and no overlay.

The original archive had a 70MB size which suggests a repeating pattern. 

Visualization revealed 0x1C0 byte repeating blocks with 0x2d byte unique blocks between. Repeating blocks enable compression while maintaining high entropy when unpacked.

MICROSOFTVISUALSTUDIODEBUGGERI resource was bloat data of 0x2b85418f bytes, and removing it slimmed the file from 699MB to 3.43MB. 

The innoSetup signature was fake, and it is a .NET assembly. Two #Blob, #Strings streams break CLI spec, allowing only one each, while the #Schema stream isn’t part of CLI, reads the report.

There are three streams that had 1-byte invalid sizes pointing to the same offset, likely confusing parsers.

ModuleRef table references 727 DLL files with dictionary word pairs as names, except kernel32. The file uses obfuscated .NET Reactor 6 with virtualization, requiring a custom disassembler. 

Loader connects to 176.113.115.227:56385 and injects RisePro 1.6 stealer into AppLaunch.exe or RegAsm.exe. RisePro now uses custom XOR string decryption instead of xorstr library. 

Multiple hardcoded decryption functions per string length replace vectorized xorstr scheme.

Researchers used a Python script to decrypt RisePro’s network data over a still-used TCP 50500 port. Config packet revealed grabber components, Telegram bot API token, and message template.

The Base64 packet contained zipped analysis machine data. Over 700 zipped data archives were exfiltrated to 2 Telegram channels. The channel names and C2 IPs suggest Russia-based operations.

Gitgub Campaign Repositories

Here below we have mentioned all the repositories that belong to the Gitgub campaign:-

• andreastanaj/AVAST
• andreastanaj/Sound-Booster 
• aymenkort1990/fabfilter 
• BenWebsite/-IObit-Smart-Defrag-Crack 
• Faharnaqvi/VueScan-Crack 
• javisolis123/Voicemod  
• lolusuary/AOMEI-Backupper 
• lolusuary/Daemon-Tools 
• lolusuary/EaseUS-Partition-Master 
• lolusuary/SOOTHE-2 
• mostofakamaljoy/ccleaner 
• rik0v/ManyCam 
• Roccinhu/Tenorshare-Reiboot 
• Roccinhu/Tenorshare-iCareFone 
• True-Oblivion/AOMEI-Partition-Assistant 
• vaibhavshiledar/droidkit 
• vaibhavshiledar/TOON-BOOM-HARMONY

IoCs

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.