Players can only access the game by first joining its Telegram channel, with some going astray in copycat channels with hidden malware.

Source: Science Photo Library via Alamy Stock Photo

Malicious actors are targeting users of a mobile currency game by using fake Android and Windows software that installs spyware and other malware.

Hamster Kombat launched in March and already has more than 250 million users, likely due to the promises of winning TON-based cryptocurrency. The game is for Android users, who can earn in-game currency by completing certain tasks within the game.

To play, users must join the game's Telegram channel, scan a QR code, and then launch a Web app on their device. When users first search for the game's Telegram channel, they are likely to come across other Hamster-branded channels attempting to distribute Android malware. One channel, named "HAMSTER EASY," even distributes Ratel Android spyware as an APK file.

This malware can allow the threat actors to subscribe the victim to different services and hide the notifications so that they remain unaware.

Other fake websites include "hamsterkombat-ua.pro" and "hamsterkombat-win.pro," which redirect visitors to advertisements to generate money instead of the real game. 

On the Windows platform, researchers discovered GitHub repositories that promise its victims Hamster Kombat farm bots and autoclickers but instead deliver cryptors that contain Lumma Stealer, info-stealer malware.

As the game continues to grow in popularity among users, it will continue to attract malicious actors, so users should be wary of being tricked by threat actors and copycat apps and remain vigilant when downloading software.

**About the Author(s)**

Hamster Kombat Players Threatened by Spyware &amp; Infostealers

Gentoo Linux Security Advisory 202407-28 - A vulnerability has been discovered in Freenet, which can lead to deanonymization due to path folding. Versions greater than or equal to 0.7.5_p1497 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-28  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Freenet: Deanonymization Vulnerability  
     Date: July 24, 2024  
     Bugs: #904441  
       ID: 202407-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Freenet, which can lead to  
deanonymization due to path folding.

Background  
==========

Freenet is an encrypted network without censorship.

Affected packages  
=================

Package          Vulnerable     Unaffected  
---------------  -------------  --------------  
net-p2p/freenet  < 0.7.5_p1497  >= 0.7.5_p1497

Description  
===========

This release fixes a severe vulnerability in path folding that allowed  
to distinguish between downloaders and forwarders with an adapted  
node that is directly connected via opennet.

Impact  
======

This release fixes a severe vulnerability in path folding that allowed  
to distinguish between downloaders and forwarders with an adapted  
node that is directly connected via opennet.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Freenet users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-p2p/freenet-0.7.5_p1497"

References  
==========

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-28

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-28

Gentoo Linux Security Advisory 202407-27 - Multiple vulnerabilities have been discovered in ExifTool, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 12.42 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-27  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: ExifTool: Multiple vulnerabilities  
     Date: July 24, 2024  
     Bugs: #785667, #791397, #803317, #832033  
       ID: 202407-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in ExifTool, the worst of  
which could lead to arbitrary code execution.

Background  
==========

ExifTool is a platform-independent Perl library plus a command-line  
application for reading, writing and editing meta information in a wide  
variety of files.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
media-libs/exiftool  < 12.42       >= 12.42

Description  
===========

Multiple vulnerabilities have been discovered in ExifTool. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All ExifTool users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/exiftool-12.42"

References  
==========

[ 1 ] CVE-2021-22204  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22204  
[ 2 ] CVE-2022-23935  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23935

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-27

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-27

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

**SIM Wisuda 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 7fed84c74a95aca63927ebf377895e9a07606b145886012809d45f932101a348

Download | Favorite | View

**SIM Wisuda 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : SIM Wisuda v1.0 IDOR Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://academic.uii.ac.id/wisuda/                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /login/apps/?menu=Lulusan[+] https://www/127.0.0.1/wisuda.uika-bogor.ac.id/login/apps/?menu=LulusanGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

SIM Wisuda 1.0 Insecure Direct Object Reference

SLiMS CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : SLiMS CMS v2.0 Sql injection Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://slims.web.id/web/news/slims-competition-plugin-and-template/                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : "index.php?p=show_detail&id=471"<===== inject here[+] https://www/127.0.0.1/libman1blitarschid/index.php?p=show_detail&id=471Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

SLiMS CMS 2.0 SQL Injection

Ubuntu Security Notice 6907-1 - Joshua Rogers discovered that Squid did not properly handle multi-byte characters during Edge Side Includes processing. A remote attacker could possibly use this issue to cause a memory corruption error, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6907-1  
July 23, 2024

squid, squid3 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Squid could be made to crash if it processed specially crafted characters.

Software Description:  
- squid: Web proxy cache server  
- squid3: Web proxy cache server

Details:

Joshua Rogers discovered that Squid did not properly handle multi-byte  
characters during Edge Side Includes (ESI) processing. A remote attacker  
could possibly use this issue to cause a memory corruption error, leading  
to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   squid                           6.6-1ubuntu5.1

Ubuntu 22.04 LTS  
   squid                           5.9-0ubuntu0.22.04.2

Ubuntu 20.04 LTS  
   squid                           4.10-1ubuntu1.13

Ubuntu 18.04 LTS  
   squid                           3.5.27-1ubuntu1.14+esm3  
                                   Available with Ubuntu Pro  
   squid3                          3.5.27-1ubuntu1.14+esm3  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   squid                           3.5.12-1ubuntu7.16+esm4  
                                   Available with Ubuntu Pro  
   squid3                          3.5.12-1ubuntu7.16+esm4  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6907-1  
   CVE-2024-37894

Package Information:  
   https://launchpad.net/ubuntu/+source/squid/6.6-1ubuntu5.1  
   https://launchpad.net/ubuntu/+source/squid/5.9-0ubuntu0.22.04.2  
   https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.13

Ubuntu Security Notice USN-6907-1

Gentoo Linux Security Advisory 202407-26 - A vulnerability has been discovered in Dmidecode, which can lead to privilege escalation. Versions greater than or equal to 3.5 are affected.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 202407-26- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal    Title: Dmidecode: Privilege Escalation     Date: July 24, 2024     Bugs: #905093       ID: 202407-26- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis========A vulnerability has been discovered in Dmidecode, which can lead toprivilege escalation.Background==========Dmidecode reports information about your system's hardware as describedin your system BIOS according to the SMBIOS/DMI standard (see a sampleoutput). This information typically includes system manufacturer, modelname, serial number, BIOS version, asset tag as well as a lot of otherdetails of varying level of interest and reliability depending on themanufacturer. This will often include usage status for the CPU sockets,expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and thelist of I/O ports (e.g. serial, parallel, USB).Affected packages=================Package             Vulnerable    Unaffected------------------  ------------  ------------sys-apps/dmidecode  < 3.5         >= 3.5Description===========Dmidecode -dump-bin can overwrite a local file. This has securityrelevance because, for example, execution of Dmidecode via sudo isplausible.Impact======Please review the referenced CVE identifier for details.Workaround==========There is no known workaround at this time.Resolution==========All Dmidecode users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=sys-apps/dmidecode-3.5"References==========[ 1 ] CVE-2023-30630      https://nvd.nist.gov/vuln/detail/CVE-2023-30630Availability============This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/202407-26Concerns?=========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.License=======Copyright 2024 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-26

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 3418251e6b23a29fe38369d103a67d4c4c7e084f78a767a8b4660ce397493457

Download | Favorite | View

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Webdenim AppUI v1.0 IDOR Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codentheme.com/item/appui-free-responsive-html-vuejs-angularjs-admin-dashboard/                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/listandrelaxcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Webdenim AppUI 1.0 Insecure Direct Object Reference

A zero-day security flaw in Telegram's mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos.
The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11.
"

A zero-day security flaw in Telegram's mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos.

The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11.

"Attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files," security researcher Lukáš Štefanko said in a report.

It's believed that the payload is concocted using Telegram's application programming interface (API), which allows for programmatic uploads of multimedia files to chats and channels. In doing so, it enables an attacker to camouflage a malicious APK file as a 30-second video.

Users who click on the video are displayed an actual warning message stating the video cannot be played and urges them to try playing it using an external player. Should they proceed with the step, they are subsequently asked to allow installation of the APK file through Telegram. The app in question is named "xHamster Premium Mod."

"By default, media files received via Telegram are set to download automatically," Štefanko said. "This means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared."

While this option can be disabled manually, the payload can still be downloaded by tapping the download button accompanying the supposed video. It's worth noting that the attack does not work on Telegram clients for the web or the dedicated Windows app.

It's currently not clear who is behind the exploit and how widely it was used in real-world attacks. The same actor, however, advertised in January 2024 a fully undetectable Android crypter (aka cryptor) that can reportedly bypass Google Play Protect.

**Hamster Kombat's Viral Success Spawns Malicious Copycat**

The development comes as cyber criminals are capitalizing on the Telegram-based cryptocurrency game Hamster Kombat for monetary gain, with ESET discovering fake app stores promoting the app, GitHub repositories hosting Lumma Stealer for Windows under the guise of automation tools for the game, and an unofficial Telegram channel that's used to distribute an Android trojan called Ratel.

The popular game, which launched in March 2024, is estimated to have more than 250 million players, according to the game developer. Telegram CEO Pavel Durov has called Hamster Kombat the "fastest-growing digital service in the world" and that "Hamster's team will mint its token on TON, introducing the benefits of blockchain to hundreds of millions of people."

Ratel, offered via a Telegram channel named "hamster\_easy," is designed to impersonate the game ("Hamster.apk") and prompts users to grant it notification access and set itself as the default SMS application. It subsequently initiates contact with a remote server to get a phone number as response.

In the next step, the malware sends a Russian language SMS message to that phone number, likely belonging to the malware operators, to receive additional instructions over SMS.

"The threat actors then become capable of controlling the compromised device via SMS: The operator message can contain a text to be sent to a specified number, or even instruct the device to call the number," ESET said. "The malware is also able to check the victim's current banking account balance for Sberbank Russia by sending a message with the text баланс (translation: balance) to the number 900."

Ratel abuses its notification access permissions to hide notifications from no less than 200 apps based on a hard-coded list embedded within it. It's suspected that this is being done in an attempt to subscribe the victims to various premium services and prevent them from being alerted.

The Slovakian cybersecurity firm said it also spotted fake application storefronts claiming to offer Hamster Kombat for download, but actually directs users to unwanted ads, and GitHub repositories offering Hamster Kombat automation tools that deploy Lumma Stealer instead.

"The success of Hamster Kombat has also brought out cybercriminals, who have already started to deploy malware targeting the players of the game," Štefanko and Peter Strýček said. "Hamster Kombat's popularity makes it ripe for abuse, which means that it is highly likely that the game will attract more malicious actors in the future."

**BadPack Android Malware Slips Through the Cracks**

Beyond Telegram, malicious APK files targeting Android devices have also taken the form of BadPack, which refer to specially crafted package files in which the header information used in the ZIP archive format has been altered in an attempt to obstruct static analysis.

In doing so, the idea is to prevent the AndroidManifest.xml file – a crucial file that provides essential information about the mobile application – from being extracted and properly parsed, thereby allowing malicious artifacts to be installed without raising any red flags.

This technique was extensively documented by Kaspersky earlier this April in connection with an Android trojan referred to as SoumniBot that has targeted users in South Korea. Telemetry data gathered by Palo Alto Networks Unit 42 from June 2023 through June 2024 has detected nearly 9,200 BadPack samples in the wild, although none of them have been found on Google Play Store.

"These tampered headers are a key feature of BadPack, and such samples typically pose a challenge for Android reverse engineering tools," Unit 42 researcher Lee Wei Yeong said in a report published last week. "Many Android-based banking Trojans like BianLian, Cerberus and TeaBot use BadPack."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Telegram App Flaw Exploited to Spread Malware Hidden in Videos

Cybersecurity researchers have spotted a 3,000-account network on GitHub that is manipulating the platform and spreading ransomware and info stealers.

A secretive network of around 3,000 “ghost” accounts on GitHub has quietly been manipulating pages on the code-hosting website to promote malware and phishing links, according to new research seen by WIRED.

Since at least June last year, according to researchers at cybersecurity company Check Point, a cybercriminal they dubbed “Stargazer Goblin” has been hosting malicious code repositories on the Microsoft-owned platform. GitHub is the world’s largest open-source code website, hosting millions of developers' work. As well as uploading malicious repositories, Stargazer Goblin has been boosting the pages by using GitHub’s own community tools.

Antonis Terefos, a malware reverse engineer at Check Point who discovered the nefarious behavior, says the persona behind the network uses their false accounts to “star,” “fork,” and “watch” the malicious pages. These actions—which are loosely similar to liking, sharing, and subscribing, respectively—help make the pages appear popular and genuine. The more stars, the more realistic a page looks. “The malicious repositories appeared really legitimate,” Terefos says.

“The way he has developed it is really smart, taking advantage of how GitHub operates,” Terefos says of the person behind the persona. While cybercriminals have been abusing GitHub for years, uploading malicious code and adapting legitimate repositories, Terefos says he has not previously seen a network of fake accounts operating in this way on the platform. The buying and selling of repositories and starring is coordinated on a cybercrime-linked Telegram channel and criminal marketplaces. WIRED previously reported on other GitHub black markets.

The Stargazers Ghost Network, which Check Point named after one of the first accounts they spotted, has been spreading malicious GitHub repositories that offer downloads of social media, gaming, and cryptocurrency tools. For instance, pages might be claiming to provide code to run a VPN or license a version of Adobe's Photoshop. These are mostly targeting Windows users, the research says, and aim to capitalize on people potentially searching for free software online.

The operator behind the network charges other hackers to use their services, which Check Point call “distribution as a service.” The harmful network has been spotted sharing various types of ransomware and info-stealer malware, Check Point says, including the Atlantida Stealer, Rhadamanthys, and the Lumma Stealer. Terefos says he discovered the network while researching instances of the Atlantida Stealer. The researcher says the network could be bigger than he expects, as he has also seen legitimate GitHub accounts being taken over using stolen login details.

“We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” says Alexis Wales, vice president of security operations at GitHub. “We have teams dedicated to detecting, analyzing, and removing content and accounts that violate these policies.”

GitHub has more than 100 million users who have contributed over 420 million repositories on the platform. Given the breadth of the platform, it’s unsurprising that cybercriminals and hackers are attempting to abuse it. In recent years, researchers have been mapping instances of fake stars, spotting dangerous code hidden in projects, facing growing supply-chain attacks against open source software, and seeing comments being used to spread malware.

The Stargazer Goblin threat actor identified by Check Point sells their services through ads on cybercrime forums and also through a Telegram account. A posts on a Russian-language cybercrime forum advertises 100 stars for $10 and 500 for $50 and says they can provide clones of existing repositories and trusted accounts. “For GitHub, the process looks organic,” one translated post says. The Check Point research says the network could have started operating as early as August 2022 and may have made as much as $100,000—from mid-May to mid-June this year, they estimate the operator made around $8,000.

Terefos says, in some instances, he has seen a legitimate code repository being changed by the threat actor, potentially using stolen credentials, and turned into a malicious one. If legitimate users fork a malicious repository, it has the potential to spread the code, Terefos says. The reverse malware engineer adds that he has automated the search for accounts linked to the network and is able to identify them based on common features, such as repositories using similar templates and tags. Some of the repositories seen by WIRED use variations on "instagram-follower" and "youtube-views" tags, with the names changed based on the software the page alleges to offer.

“Users of GitHub, and especially inexperienced users, can easily download malicious code, which can often be the result of fictitious reviews and starring,” says Jake Moore, global cybersecurity adviser at security firm Eset. “Telltale signs of malicious code on GitHub could also be unexpected or suspicious code changes, code that accesses external resources, and specific hard-coded credentials or API keys.”

Terefos says the activity of the network—staring and watching pages—is likely automated, as he saw repositories being acted upon in quick succession. “I don't think they're clicking, doing like manual work.” For GitHub, Terefos says, it may be difficult to identify this activity, as the behavior of the accounts is intended to look like a genuine GitHub user. Wales, from GitHub, says the company uses a combination of manual reviews and “at-scale detections” that use machine learning to identify suspicious activity

The Check Point engineer also says he identified one YouTube “ghost” account that was sharing malicious links via video, indicating that the network could be more encompassing. “I think this is not the whole picture,” Terefos says.

Tag

#web