Stargazers Ghost Network Created via Fake GitHub Accounts to Spread Malware

A sophisticated threat actor known as Stargazer Goblin has built a sprawling network of fake GitHub accounts to facilitate a Distribution-as-a-Service (DaaS) operation. This scheme has been instrumental in spreading various information-stealing malware, generating illicit profits amounting to $100,000 over the past year.

The Stargazers Ghost Network

This extensive network, named "Stargazers Ghost Network" by Check Point researchers, consists of over 3,000 GitHub accounts. These accounts are utilized to distribute malicious links and malware across thousands of repositories. The malware families disseminated via this network include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

Structure and Strategy

The Stargazers Ghost Network employs several strategies to maintain its operations and evade detection:

• Account Diversity: Different accounts are tasked with specific roles such as hosting phishing templates, providing images, or distributing malware disguised as cracked software or game cheats.
• Resilience Tactics: When GitHub detects and bans certain accounts, the network quickly adapts by updating repositories with new links, minimizing operational disruption.
• Legitimacy Mimicry: The accounts engage in activities like starring, forking, and watching repositories to create a semblance of legitimacy.

The Role of 'Ghost' Accounts

According to security researcher Antonis Terefos, the network of 'Ghost' accounts not only distributes malware but also engages in activities that make these accounts appear as legitimate users. This tactic helps in avoiding suspicion and maintaining the longevity of their malicious repositories.

Ongoing Operations and Adjustments

Active since August 2022, the Stargazers Ghost Network was first advertised as a DaaS in July 2023. One notable campaign involved a malicious GitHub link leading to a PHP script on a WordPress site, which ultimately executed the Atlantida Stealer via a PowerShell script. Other malware families like Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro are also propagated through this network.

Multi-Platform Expansion

The network is not confined to GitHub alone; it operates similar 'Ghost' accounts on platforms such as Discord, Facebook, Instagram, X, and YouTube. This multi-platform presence enhances the resilience and reach of their malicious operations.

Recent Extortion Campaigns

In a related development, unknown threat actors have been targeting GitHub repositories since February 2024. These attackers wipe repository contents and demand ransom via Telegram under the guise of a user named Gitloker. This attack employs phishing emails to trick developers into authorizing a malicious OAuth app that erases repository data.

Security Advisory: CFOR Vulnerability

Truffle Security has issued an advisory highlighting the potential for accessing sensitive data from deleted forks and private repositories on GitHub. Known as a Cross Fork Object Reference (CFOR) vulnerability, this issue arises when commits to any repository in a fork network remain accessible, even if the repository is deleted or made private.

Stargazer Goblin's sophisticated use of GitHub for distributing malware showcases the evolving tactics of threat actors in exploiting legitimate platforms. As these operations become more intricate, security measures must continually adapt to address new vulnerabilities and safeguard against such malicious networks.