September 4, 2024 By Jennifer Gregory 3 min read

In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts.

A highly effective malware campaign

Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that the accounts were performing malicious activities.

By targeting users who wanted to increase their followers on YouTube, Twitch and Instagram, the ghost accounts distributed malicious links through Discord channels to the GitHub repositories. Because the malicious links go to content that is starred and verified, other users assume that the repositories are legitimate. However, the high number of stars is what tipped off Check Point researchers that the accounts were suspicious.

“In a short period of monitoring, we discovered more than 2,200 malicious repositories where ‘ghost’ activities were occurring. During a campaign that took place around January 2024, the network distributed Atlantida stealer, a new malware family that steals user credentials and cryptocurrency wallets along with other personally identifiable information (PII). This campaign was highly effective, as in less than four days, more than 1,300 victims were infected with Atlantida stealer,” wrote Antonis Terefos in the Check Point Research report.

By using three GitHub accounts working together, Stargazers Ghost Network manages to avoid detection by GitHub. The attack begins when a threat actor attaches a README.md file containing a phishing download link to an external repository’s release. One account serves the phishing repository template, while another account provides the phishing image template. The third account then serves the malware as a password-protected archive in a release, which is sometimes where the attack is detected, and then the third account is banned by GitHub. If that happens, then the threat actor starts the attack again with a new link in the first account.

Explore ransomware protection solutions

Dark web payouts

As part of the investigation, Terefos also discovered another part of the scheme — using the ghost accounts to make money on the dark web. CheckPoint estimates that malicious activity between mid-May and mid-June 2024 earned the Stargazers Ghost Network approximately $8,000. Over its entire lifespan, Check Point estimates the scheme brought in around $100,000.

On July 8, 2023, Terefos’s team discovered that the Stargazers Ghost Network had taken out a banner advertisement on the dark web. Cyber criminals could “hire” the ghost account for a wide range of services on GitHub, including starring, following, forking and watching both accounts and repositories. The prices for these services varied, such as $10 for starring 100 accounts and $2 to provide a trusted account with an “aged” repository. In addition to ad banners, the cyber criminals also used another typical marketing tactic: discounting. Threat actors who spend over $500 with Stargazers Ghost Network can get a discount on the services.

GitHub takes action

After learning about the 3,000 ghost accounts, GitHub took action to stop the spread of malware. “We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” Alexis Wales, Vice President of Security Operations at GitHub, told Wired. “We have teams dedicated to detecting, analyzing and removing content and accounts that violate these policies.”

However, Check Point researchers believe that they have just uncovered the beginning of the operations for Stargazer Goblin, which is the group organizing the network. The report explains that they think the universe of ghost accounts operates across many other platforms, including YouTube, Discord, Instagram and Facebook. Because these channels can also be used to distribute links and malware through posts, repositories, videos and tweets, Check Point thinks that these accounts are operating like the GitHub scheme, meaning that this is likely just the beginning of a new tactic.

“Future ghost accounts could potentially utilize artificial intelligence (AI) models to generate more targeted and diverse content, from text to images and videos. By considering targeted users’ replies, these AI-driven accounts could promote phishing material not only through standardized templates but also through customized responses tailored to real users’ needs and interactions. A new era of malware distribution is here, where we expect these types of operations to occur more frequently, making it increasingly difficult to distinguish legitimate content from malicious material,” concluded the Check Point report.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today