Researchers have spotted a malvertising (and clever malware delivery) campaign targeting IT workers in the European Union with fake GitHub Desktop installers.
“We believe the goal of this campaign was to gain initial access to organizations for the purposes of malicious activity such as credential theft, infostealing and ransomware deployment,” Arctic Wolf researchers noted.
Delivering malware without triggering alerts or suspicion
The campaign, which has apparently been running for over half a year, involves a clever delivery chain.
The attackers use malicious Google Ads to trick users into visiting a specific commit in a legitimate GitHub repository, whose README file has been modified to look like a genuine download page for the GitHub Desktop app:
A commit “hosting” a fake download page for GitHub Desktop (Source: Arctic Wolf)
Unfortunately, the download links point to a lookalike domain (gitpage[.]app) controlled by the threat actor, which serves malicious executables.
MacOS users who click on the download link get a version of the infamous Atomic Stealer (AMOS Stealer).
Windows users get a “bloated” Microsoft Software Installer (MSI) file that mimics the legitimate GitHub Desktop installer. It contains a malicious executable and over 100 dummy ones, which are there to complicate malware analysis by AV products and analysts, and to make the file big enough to prevent execution on many online sandboxes.
“The threat actor behind this campaign appears to understand very well how malware analysis works,” the researchers noted.
This particular malicious payload will deliberately not decrypt itself and run on systems that don’t have a real GPU and have a device name shorter than 10 characters.
“Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use,” the researchers explained. Also, “virtual machines and analysis environments often have simplified or generic GPU device names that are shorter than real hardware names.”
If the Windows payload finds itself on a “usable” machine, it will decrypt itself and run a PowerShell script that will copy itself to the user’s %APPDATA% directory for persistence and check whether it’s running with admin privileges.
If its not, it will ask the user to allow it higher privileges via a UAC prompt – but only once, as repeated request may raise the victim’s suspicion.
If it has or it manages to gain admin privileges, it will use them perform other actions to avoid detection, such as:
- Adding exclusions to Windows Defender so that it doesn’t scan the folders the malware uses to stash malicious components
- Creatoing a scheduled task configured with the highest privilege level so it will always run when a user logs on to the system
- Creating a marker file to prevent repeated execution (as not to consume a lot of system resources)
- Running itself in a background process (to complicate forensic analysis)
“As the final step, the PowerShell script downloads a ZIP archive and extracts it into the TEMP folder. Once unpacked, it executes the included .exe file. Although the executable itself is legitimate, it loads a malicious DLL placed alongside it that enables DLL sideloading, allowing the threat actors to keep a low profile,” the researchers added.
“The modular payload download system retrieves ZIP archives containing secondary malware components from remote infrastructure, based on system characteristics and operational requirements.”
The GPUGate campaign is still a threat
The researchers dubbed this malware GPUGate, due to its GPU‑gated decryption / analysis avoidance routine.
“Based on the malicious activity we’ve observed so far, the targets are primarily workers in the IT sector, which accounts for their interest in downloading GitHub Desktop,” the researchers noted.
“These individuals often serve as gatekeepers to highly sensitive codebases, deployment pipelines, and infrastructure credentials. Successful compromise could enable supply chain attacks, credential theft, codebase manipulation, and lateral movement within enterprise networks.”
The malvertising and geofencing currently used points to the attackers specifically targeting EU countries.
The campaign is still active and is likely to continue – the attackers made sure to have multiple redundant C2 domains and IP addresses across different hosting providers.
Arctic Wolf has also shared indicators of compromise related to this campaign, Yara rules for detecting fake Github Desktop Windows installers, and security recommendations for organizations and targeted individuals.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
