The Stargazers Ghost Network is a sophisticated operation consisting of over 3,000 GitHub accounts and thousands of repositories sharing malicious links or malware. Check Point has identified this network, which distributes malware families such as Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine. These fake accounts engage in activities like starring, forking, watching, and subscribing to malicious repositories to make them appear legitimate.

Network Activity:

The network has been active since August 2022, but an advertisement for the service wasn’t discovered on the dark web until early July 2023. According to security researcher Antonis Terefos, “Threat actors now operate a network of ‘Ghost’ accounts that distribute malware via malicious links on their repositories and encrypted archives as releases.”

Categories of GitHub Accounts:

Different categories of GitHub accounts are used to enhance the resilience of their infrastructure against takedown efforts by GitHub:

1. Phishing Repository Template Accounts: Host phishing repository templates.
2. Image Accounts: Provide images for phishing templates.
3. Malware Distribution Accounts: Upload malware to repositories as password-protected archives, disguised as cracked software and game cheats.

When malicious payloads are identified and banned by GitHub, the network updates phishing repositories with new links to active malicious releases, ensuring minimal disruption.

Phishing and Malware Spread:

One campaign uncovered by Check Point involves a malicious link to a GitHub repository that redirects to a PHP script on a WordPress site, ultimately delivering an HTML Application (HTA) file that executes Atlantida Stealer via a PowerShell script. Other malware families distributed through the service include Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro.

Technical Details: Vulnerabilities and Exploitation Methods

Vulnerabilities:

1. Weak Account Security: Many GitHub accounts within the network have been compromised, often due to stolen credentials via stealer malware.
2. Lack of Rigorous Monitoring: GitHub’s monitoring processes sometimes fail to detect malicious accounts until significant damage occurs.
3. Inadequate Phishing Protections: Phishing repository templates can deceive users into downloading malicious content.
4. Insufficient Repository Controls: Malicious repositories can host harmful scripts and software disguised as benign content like cracked software or game cheats.

Exploitation Methods:

1. Phishing: Phishing repository templates trick users into downloading malicious content.
2. Malicious Links: Repositories contain links to external sites that host malware.
3. Password-Protected Archives: Malware is distributed as password-protected archives to evade detection.
4. Compromised Accounts: Previously compromised accounts are used to host and distribute malware, leveraging the credibility of legitimate accounts.

Recommendations from Cybersecurity Experts:

• Verify Updates: System administrators should verify updates before pushing them directly into the production environment. Updates and patches should be thoroughly tested in a staging environment first.
• Review Disaster Recovery Plans: Ensure your disaster recovery (DR) plan is robust and effective. Organizations should review and update their DR plans to handle business operation disruptions effectively.
• Communicate through Official Channels: Ensure communication with GitHub representatives is through official channels to avoid misinformation.
• Implement Mitigation Steps: Follow the detailed steps provided in this advisory to resolve issues and restore system functionality.
• Remain Vigilant: Be aware of potential phishing and malicious activities exploiting this incident. Verify instructions from legitimate sources and educate employees on avoiding phishing emails and suspicious links.
• Stay Updated: Regularly check GitHub and cybersecurity expert support portals for the latest updates and guidance.

Mitigating Such Threats:

1. Strengthen Account Security: Implement multi-factor authentication (MFA) for all GitHub accounts to add an extra layer of security.
2. Enhance Monitoring: Use advanced threat detection tools to continuously monitor for suspicious activities within repositories.
3. Educate Users: Regularly train employees and users on recognizing phishing attempts and the importance of verifying the authenticity of repositories.
4. Limit Repository Permissions: Restrict permissions and access controls for repositories to minimize the risk of malicious uploads.
5. Implement Automated Scans: Use automated security tools to scan repositories for malicious content and enforce code review processes.
6. Regular Security Audits: Conduct regular security audits of all repositories and accounts to identify and mitigate potential vulnerabilities.