Infostealer
Stargazer Goblin
GitHub
Discover how Stargazer Goblin's 3,000+ fake GitHub accounts spread Atlantida Ste...
As email-based attacks experience resilient defenses, hackers are getting creative in evading detection. That's where Stargazer Goblin enters, a group that’s turning GitHub into a malware distribution channel. Once a mere attack vector in malware distribution, GitHub has now been in the limelight.
Stargazer Goblin has devised a sophisticated Malware Distribution-as-a-Service (DaaS) system, utilizing fake "Ghost" accounts to disseminate malware. These accounts manipulate GitHub's system by starring, forking, and following repositories to appear legitimate and deceive users.
Instead of directly spreading malicious software, threat actors are deploying a network of _"Ghost"_ accounts that promote malware through malicious links embedded in repositories and encrypted archives. These accounts simulate normal user behavior, lending a facade of legitimacy to their actions and the repositories they control.
Over 2,200 malicious GitHub repositories associated with Stargazer Goblin's ghost accounts were discovered.
A notable January 2024 campaign used these tactics to distribute Atlantida Stealer, a potent malware that exfiltrates passwords and personal information. This attack successfully compromised over 1,300 users in just four days, primarily through Discord channels.
### Stargazer Goblin's Ghost Network: A Sophisticated Malware Distribution System
Stargazer Goblin has redefined malware distribution through a network of fake accounts on GitHub. This network creates a false sense of legitimacy by using multiple accounts to _"star"_ and _"verify"_ malicious links.
***Ghost GitHub Account Participating in the Scheme***
#### Key Features of the Stargazer Ghost Network
- **Automated Operations:** The network frequently reuses tags and images, altering only the target platform (e.g., switching from one social media app to another). This indicates automated operations, enhancing both efficiency and scalability.
- **Malicious Repositories:** README.md files in these repositories often contain malicious download links, sometimes redirecting to the Releases section of a repository. To evade detection, these repositories frequently use password-protected archives.
- **Three-Account Structure:** The network utilizes a three-account setup:
- **Phishing Repository Account:** Hosts the phishing repository template.
- **Template Image Account:** Provides the template image.
- **Malware Archive Account:** Serves the malware as a password-protected archive.
This structure allows Stargazer Goblin to swiftly adapt to bans on accounts or repositories, ensuring minimal disruption to their operations.
#### Network Maintenance and Recovery
The network employs automated systems to detect and mitigate the effects of banned accounts or repositories. When a malware-serving account is banned by GitHub, Stargazer Goblin updates the phishing repository with new links to active malicious releases, ensuring continued operation.
### Campaign Analysis: Stargazer Goblin’s Tactics
CheckPoint Research’s investigation [found](https://research.checkpoint.com/2024/stargazers-ghost-network/) that a January 2024 campaign by Stargazer Goblin distributed Atlantida Stealer malware, likely targeting Twitch users via Discord.
This attack chain leveraged compromised WordPress sites, raising concerns about suspicious GitHub repositories containing WordPress code.
**Attack Chain Overview:**
1. **Initial Click:** Victims click a GitHub phishing link.
2. **Malicious Redirect:** Leads to a malicious script on a compromised WordPress site.
3. **Script Validation:** The script validates the request’s Referer header and IP address.
4. **Final Download:** Redirects to a download page for the malicious payload.
### Malware URL Analysis
Recent commits have revealed several malicious URLs associated with Stargazer Goblin’s campaigns. Below are some instances:
- [https://github.com/bludmooncutie2/bludmooncutie2/releases/tag/latest](https://github.com/bludmooncutie2/bludmooncutie2/releases/tag/latest) (May 28, 2024)
- [https://github.com/witch12138/test/releases/tag/lat](https://github.com/witch12138/test/releases/tag/lat) (May 29, 2024)
- [https://github.com/soulkeeper500/soulkeeper500/releases/tag/lat](https://github.com/soulkeeper500/soulkeeper500/releases/tag/lat) (June 4, 2024)
### ViewBot: A Tool for Artificial Engagement
ViewBot is an automated tool designed to increase social media engagement. It uses social network APIs to simulate natural interactions, including:
- **Live Viewers and Chat Bots**
- **Multi-Account Support**
- **Customizable Intervals**
**Warning:** Using such tools to artificially inflate social media metrics may violate platform terms and result in account suspension.
***Exploits an Iframe to Load External Content and Uses VBScript to Execute PowerShell Commands for System Compromise***
This code contains suspicious elements such as:
- **Iframe loading external content**
- **VBScript executing PowerShell commands**
- **Attempts to hide the console window**
Immediate action is required:
- **Isolate affected systems**
- **Block suspicious URLs**
- **Scan for infections**
- **Update security protocols**
** Please use the following commands for GitHub fee: **
- cek_all - check the status of all latest sensors
- cek_kelembapan - check the latest humidity
- cek_suhu - check the latest temperature
- cek_status - check the latest status
- cek_kondisi - check the latest condition
- cek_lastupdate - check the latest time and date update
