In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts.

A highly effective malware campaign

Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that the accounts were performing malicious activities.

By targeting users who wanted to increase their followers on YouTube, Twitch and Instagram, the ghost accounts distributed malicious links through Discord channels to the GitHub repositories. Because the malicious links go to content that is starred and verified, other users assume that the repositories are legitimate. However, the high number of stars is what tipped off Check Point researchers that the accounts were suspicious.

“In a short period of monitoring, we discovered more than 2,200 malicious repositories where ‘ghost’ activities were occurring. During a campaign that took place around January 2024, the network distributed Atlantida stealer, a new malware family that steals user credentials and cryptocurrency wallets along with other personally identifiable information (PII). This campaign was highly effective, as in less than four days, more than 1,300 victims were infected with Atlantida stealer,” wrote Antonis Terefos in the Check Point Research report.

By using three GitHub accounts working together, Stargazers Ghost Network manages to avoid detection by GitHub. The attack begins when a threat actor attaches a README.md file containing a phishing download link to an external repository’s release. One account serves the phishing repository template, while another account provides the phishing image template. The third account then serves the malware as a password-protected archive in a release, which is sometimes where the attack is detected, and then the third account is banned by GitHub. If that happens, then the threat actor starts the attack again with a new link in the first account.

Dark web payouts

As part of the investigation, Terefos also discovered another part of the scheme — using the ghost accounts to make money on the dark web. CheckPoint estimates that malicious activity between mid-May and mid-June 2024 earned the Stargazers Ghost Network approximately $8,000. Over its entire lifespan, Check Point estimates the scheme brought in around $100,000.

On July 8, 2023, Terefos’s team discovered that the Stargazers Ghost Network had taken out a banner advertisement on the dark web. Cyber criminals could “hire” the ghost account for a wide range of services on GitHub, including starring, following, forking and watching both accounts and repositories. The prices for these services varied, such as $10 for starring 100 accounts and $2 to provide a trusted account with an “aged” repository. In addition to ad banners, the cyber criminals also used another typical marketing tactic: discounting. Threat actors who spend over $500 with Stargazers Ghost Network can get a discount on the services.

GitHub takes action

After learning about the 3,000 ghost accounts, GitHub took action to stop the spread of malware. “We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” Alexis Wales, Vice President of Security Operations at GitHub, told Wired. “We have teams dedicated to detecting, analyzing and removing content and accounts that violate these policies.”

However, Check Point researchers believe that they have just uncovered the beginning of the operations for Stargazer Goblin, which is the group organizing the network. The report explains that they think the universe of ghost accounts operates across many other platforms, including YouTube, Discord, Instagram and Facebook. Because these channels can also be used to distribute links and malware through posts, repositories, videos and tweets, Check Point thinks that these accounts are operating like the GitHub scheme, meaning that this is likely just the beginning of a new tactic.

“Future ghost accounts could potentially utilize artificial intelligence (AI) models to generate more targeted and diverse content, from text to images and videos. By considering targeted users’ replies, these AI-driven accounts could promote phishing material not only through standardized templates but also through customized responses tailored to real users’ needs and interactions. A new era of malware distribution is here, where we expect these types of operations to occur more frequently, making it increasingly difficult to distinguish legitimate content from malicious material,” concluded the Check Point report.