Ghost accounts on GitHub: Organized malware slinger with a system

Contents

Security researchers from Check Point have discovered a network of ghost accounts on GitHub that distributes malware. In addition to repositories with malware, the Stargazers Ghost Network offers services to efficiently distribute malicious code via GitHub.

The user behind the network is Stargazer Goblin, which has been offering its services since at least June 2023. However, Check Point assumes that the first campaigns started as early as August 2022.

Phishing with ghost accounts

According to Check Point Security estimates, the network consists of a good 3,000 accounts, only some of which manage repositories with malicious code or links to malware. Some of the links refer to external websites and some to the release section of other GitHub repositories with the malicious code. This is probably mostly password-protected so that GitHub's scanners cannot detect the malware.

However, the majority of accounts do not have repositories with content, but serve to increase the reputation of the malware repositories so that they look like regular open source repositories.

An important GitHub metric is the number of stars displayed above the repository. Many stars indicate that many users are already interested in the content. The name Stargazer probably refers to this "starring", as the awarding of stars is called in English. The stars awarded by the ghost accounts give the repository a good reputation.

But that's not all: apparently some accounts have also forked the repositories, which should also signal a high level of interest in the code. Unlike the attack uncovered in March, which used countless clone repositories to distribute malware, Stargazer Goblin probably relies on (supposed) quality through stars instead of quantity through sheer mass.

Check Point estimates the number of ghost accounts based on a discovered scheme: a simple username followed by a number. Both are repeated in the corresponding readme. Apart from the additional license file, the repositories are empty.

Tailored to fit

The attackers use templates in their repositories that they adapt for different platforms such as TikTok, Twitch and Instagram and distribute via different repositories. Individual templates for different target groups entice users with cheats for gamers or tools to increase follower numbers for influencers.

They use different malware families. In one wave of attacks, the network distributed the Atlantida Stealer, which among other things, steals credentials and cryptocurrencies. According to Check Point Research, 1300 people fell victim to the attack in four days. The links to the GitHub repositories were presumably distributed via Discord at the time. The attackers used compromised Wordpress pages as an intermediate station. Another attack reached a good 1000 users in two weeks with the Rhadamanthys malware. The network also distributed Lumma Stealer, RedLine and RisePro.

The security researchers suspect that Stargazer Goblin also used the attacks to obtain access data for GitHub and other platforms such as YouTube, Discord, Instagram, X and Facebook and to incorporate the hijacked accounts into its ghost account network.

Stargazer as a service provider

Stargazer Goblin also offers the ghost account network as a service. Check Point Research found an advertisement in English and Russian in a dark web forum at the beginning of July, which primarily has starring and other services for GitHub repositories on the price list: 100 stars cost 10 US dollars. There are also extended offers for forks, watches and the cloning of repositories.

Further details can be found on the Checkpoint Security blog. Another article from Check Point Research goes into more detail about the individual attacks.

(rme)