CYFIRMA has found a classy cyberattack marketing campaign through which menace actors are utilizing GitHub to host and disseminate malware masquerading as real software program.
Masquerading as “Free VPN for PC” and “Minecraft Pores and skin Changer,” these malicious payloads are designed to trick customers into downloading a harmful malware dropper named Launch.exe.
Hosted on the GitHub repository github[.]com/SAMAIOEC, these recordsdata are accompanied by detailed directions and packaged in password-protected ZIP recordsdata to evade browser-based safety scans.
This abuse of a trusted platform like GitHub highlights the rising development of cybercriminals exploiting open-source repositories to unfold malware, preying on customers searching for free instruments or recreation mods.
Misleading Lures Goal Unsuspecting Customers
A deep dive into the malware reveals a multi-stage assault chain engineered for stealth and evasion.
The first executable, Launch.exe, with an MD5 hash of bbc7fc957d4fff6a55bd004a3d124dda, serves because the preliminary dropper.
Upon execution, it decodes a Base64-encoded DLL payload hidden behind meaningless French textual content, making use of extra obfuscation via bitwise transformations within the SinCosMath() operate.
This payload is dropped as msvcp110.dll within the consumer’s AppDataRoaming listing, dynamically loaded into reminiscence utilizing Home windows API calls like LoadLibrary() and GetProcAddress().
The DLL, exhibiting excessive entropy suggestive of packing, employs anti-debugging methods equivalent to IsDebuggerPresent() to terminate below evaluation environments and makes use of extreme management move to frustrate reverse engineering efforts.
Lumma Stealer Marketing campaign
The marketing campaign’s final objective is to deploy Lumma Stealer, a infamous information-stealing malware, through course of injection into official Home windows binaries like MSBuild.exe and aspnet_regiis.exe.
Based on Cyfirma Report, these trusted processes are abused to bypass safety controls, with low-level API calls equivalent to VirtualAlloc() and NtWriteVirtualMemory() facilitating in-memory execution of the payload.
Dynamic evaluation additionally revealed makes an attempt to hook up with a suspected command-and-control (C2) area, explorationmsn[.]retailer, alongside different infrastructure aligning with identified Lumma Stealer patterns.
Regardless of detailed static evaluation unravelling obfuscation techniques and mapping behaviors to MITRE ATT&CK methods like DLL side-loading (T1574.002) and masquerading (T1036), the menace actor’s id stays elusive, emphasizing the necessity for proactive protection measures.
This marketing campaign underscores the crucial significance of vigilance when downloading software program from platforms like GitHub.
Organizations and people should block recognized C2 domains, prohibit executable downloads from unverified sources, and monitor for suspicious actions equivalent to DLLs in consumer directories or uncommon API utilization.
Consumer schooling on the dangers of free instruments, mixed with behavior-based detection through EDR options and the appliance of supplied YARA guidelines, can considerably mitigate such threats.
Indicators of Compromise (IOCs)
| S. No | Indicators | Sort | Context |
|---|---|---|---|
| 1 | acbaa6041286f9e3c815cd1712771a490530f52c90ce64da20f28cfa0955a5ca | EXE | Launch.exe |
| 2 | 15b644b42edce646e8ba69a677edcb09ec752e6e7920fd982979c714aece3925 | DLL | msvcp110.dll |
| 3 | explorationmsn[.]retailer | Area | C2 |
| 4 | snailyeductyi[.]sbs | Area | C2 |
| 5 | ferrycheatyk[.]sbs | Area | C2 |
| 6 | deepymouthi[.]sbs | Area | C2 |
| 7 | wrigglesight[.]sbs | Area | C2 |
| 8 | captaitwik[.]sbs | Area | C2 |
| 9 | sidercotay[.]sbs | Area | C2 |
| 10 | heroicmint[.]sbs | Area | C2 |
| 11 | monstourtu[.]sbs | Area | C2 |
Keep Up to date on Every day Cybersecurity Information. Observe us on Google Information, LinkedIn, and X.
