Cybersecurity researchers have uncovered a sophisticated malware distribution campaign utilizing GitHub repositories disguised as legitimate software projects.
The SmartLoader malware has been strategically deployed across multiple repositories, capitalizing on users’ trust in the popular code-sharing platform to infiltrate systems worldwide.
The malicious campaign targets users searching for game cheats, software cracks, and automation tools by positioning fraudulent repositories at the top of search results.
.webp "SmartLoader Malware via Github Repository as Legitimate Projects Infection Users Computer 3")
These repositories appear authentic, complete with professionally crafted README files, project documentation, and realistic file structures that mirror legitimate open-source projects.
The threat actors behind this operation have demonstrated remarkable attention to detail, making their malicious repositories virtually indistinguishable from genuine software projects.
Each compromised repository contains carefully constructed compressed files hosting the SmartLoader payload. When users download and execute these files, they unknowingly initiate a multi-stage infection process that establishes persistent access to their systems.
ASEC analysts identified this widespread distribution method as particularly concerning due to its exploitation of developer and gaming communities’ trust in GitHub as a reliable source for software tools.
Technical Infection Mechanism and Payload Deployment
The SmartLoader infection process begins when users execute the Launcher.cmd file, which serves as the initial attack vector.
This malicious batch file loads an obfuscated Lua script through luajit.exe, a legitimate Lua interpreter that has been weaponized for malicious purposes.
.webp "SmartLoader Malware via Github Repository as Legitimate Projects Infection Users Computer 4")
The malware package consists of four core components: java.exe (the legitimate Lua loader), Launcher.cmd (malicious batch file), lua51.dll (Luajit runtime interpreter), and module.class (obfuscated Lua script).
Once activated, SmartLoader establishes persistence by copying essential files to the %AppData%ODE3 directory and registering itself in the Windows Task Scheduler as “SecurityHealthService_ODE3”.
The malware immediately captures screenshots and system information, transmitting this data to command-and-control servers through Base64-encoded communications.
The malware’s most dangerous capability lies in its role as a loader for additional payloads.
Analysis revealed that SmartLoader downloads and executes secondary malware including Rhadamanthys infostealer, which targets sensitive information from email clients, FTP applications, and online banking services.
The malware performs process injection into legitimate Windows processes such as openwith.exe, dialer.exe, and dllhost.exe to evade detection.
Communication with C2 servers occurs through encrypted channels, with the malware receiving JSON-formatted commands containing configuration parameters and task lists.
This infrastructure allows threat actors to dynamically update malware behavior and deploy additional payloads based on the infected system’s characteristics.
This campaign highlights the critical importance of verifying software sources and examining repository credibility, commit history, and author authenticity before downloading any GitHub-hosted applications, particularly those related to game modifications or software cracks.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
