Threat actors often target the popular code repository platform “GitHub” due to it’s wide use, and features that this platform offers.
Cybersecurity analysts at Gen DIgital recently discovered that threat actors are exploiting GitHub to propagate an information stealer, ‘Lumma.’
This sophisticated malware is classified as an InfoStealer which is actively promoted through GitHub repositories.
Lumma is designed to exfiltrate sensitive data, including login credentials, financial information, and cryptocurrency wallets from infected systems.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Technical Analysis
Lumma Stealer is an advanced malware that is developed by professional cybercriminals and it is one of the top advanced stealers in the wild.
As a type of Malware-as-a-Service (MaaS) model, it is administered with malicious intent to hijack sensitive data including saved passwords in browsers, cookies, cryptocurrency, and email clients’ data.
This is also one of the very few instances where Lumma has come up with new attack vectors like recovery of session cookie abuse during Google account login which is pretty much intuitive.
The malware’s creators continuously add new comments, outpacing GitHub’s removal efforts. These comments contain links to encrypted archives on mediafire[.]com, often with the password “changeme”.
.webp "Hackers Delivers Lumma Stealer Via Public GitHub Commands 2")
As for malicious comments in GitHub, the volume of malicious posts remains a challenge, particularly left victims endanger their data once they attempt to download and promptly do the unpacking of the downloaded archives.
Cybercriminals are adjusting their strategies, utilizing resources like GitHub and YouTube to distribute malware like Lumma Stealer.
These campaigns are often masqueraded as “Fake Tutorials” or offer cracked versions of software, targeting users who are seeking free alternatives.
Whereas the current attacks would be definitively identified due to poor English even with good knowledge, later attacks may become convincing since the threats will use generative AI to come up with messages.
This trend spans multiple platforms, with attackers using various hosting services like Dropbox to spread malware.
Free software is contaminated with malware, and the terms are used to infect users with fake programs and software installations.
In these forms of paid advertisements, as social media advertising practices improve, targeting and attributing malicious advertisements on various social media and development apps may be challenging.
Recommendations
Here below we have mentioned all the recommendations:-
- Use reliable antivirus software
- Change your passwords
- Reset all the active sessions
- Enable two-factor authentication (2FA)
- Keep your antivirus up to date
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial