Hackers Exploit GitHub to Distribute Malware Disguised as VPN Software

CYFIRMA has discovered a sophisticated cyberattack campaign in which threat actors are using GitHub to host and disseminate malware masquerading as genuine software.

Masquerading as “Free VPN for PC” and “Minecraft Skin Changer,” these malicious payloads are designed to trick users into downloading a dangerous malware dropper named Launch.exe.

Hosted on the GitHub repository github[.]com/SAMAIOEC, these files are accompanied by detailed instructions and packaged in password-protected ZIP files to evade browser-based security scans.

This abuse of a trusted platform like GitHub highlights the growing trend of cybercriminals exploiting open-source repositories to spread malware, preying on users seeking free tools or game mods.

Deceptive Lures Target Unsuspecting Users

A deep dive into the malware reveals a multi-stage attack chain engineered for stealth and evasion.

The primary executable, Launch.exe, with an MD5 hash of bbc7fc957d4fff6a55bd004a3d124dda, serves as the initial dropper.

Upon execution, it decodes a Base64-encoded DLL payload hidden behind meaningless French text, applying additional obfuscation through bitwise transformations in the SinCosMath() function.

This payload is dropped as msvcp110.dll in the user’s AppDataRoaming directory, dynamically loaded into memory using Windows API calls like LoadLibrary() and GetProcAddress().

The DLL, exhibiting high entropy suggestive of packing, employs anti-debugging techniques such as IsDebuggerPresent() to terminate under analysis environments and uses excessive control flow to frustrate reverse engineering efforts.

Lumma Stealer Campaign

The campaign’s ultimate goal is to deploy Lumma Stealer, a notorious information-stealing malware, via process injection into legitimate Windows binaries like MSBuild.exe and aspnet_regiis.exe.

According to Cyfirma Report, these trusted processes are abused to bypass security controls, with low-level API calls such as VirtualAlloc() and NtWriteVirtualMemory() facilitating in-memory execution of the payload.

Dynamic analysis also revealed attempts to connect to a suspected command-and-control (C2) domain, explorationmsn[.]store, alongside other infrastructure aligning with known Lumma Stealer patterns.

Despite detailed static analysis unravelling obfuscation tactics and mapping behaviors to MITRE ATT&CK techniques like DLL side-loading (T1574.002) and masquerading (T1036), the threat actor’s identity remains elusive, emphasizing the need for proactive defense measures.

This campaign underscores the critical importance of vigilance when downloading software from platforms like GitHub.

Organizations and individuals must block identified C2 domains, restrict executable downloads from unverified sources, and monitor for suspicious activities such as DLLs in user directories or unusual API usage.

User education on the risks of free tools, combined with behavior-based detection via EDR solutions and the application of provided YARA rules, can significantly mitigate such threats.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.