GitHub is being abused to distribute the Lumma Stealer information-stealing malware as faux fixes posted in mission feedback.
The marketing campaign was first reported by a contributor to the teloxide rust library, who famous on Reddit that they acquired 5 totally different feedback of their GitHub points that pretended to be fixes however have been as a substitute pushing malware.
Additional overview by BleepingComputer discovered hundreds of comparable feedback posted to a variety of tasks on GitHub, all providing faux fixes to different folks’s questions.
The answer tells folks to obtain a password-protected archive from mediafire.com or by way of a bit.ly URL and run the executable inside it. Within the present marketing campaign, the password has been “changeme” in all of the feedback we have now seen.
Reverse engineer Nicholas Sherlock informed BleepingComputer that over 29,000 feedback pushing this malware had been posted over a 3-day interval.
Faux reply to a GitHub situation pushing the Lumma Stealer malware Supply: Andrey Brusnik
Clicking on the hyperlink brings guests to a obtain web page for a file referred to as ‘repair.zip,’ which incorporates a number of DLL information and an executable named x86_64-w64-ranlib.exe.
Archive containing the Lumma Stealer installer Supply: BleepingComputer
Working the executable on Any.Run signifies it’s the Lumma Stealer information-stealing malware.
Lumma Stealer is a complicated information stealer that, when executed, makes an attempt to steal cookies, credentials, passwords, bank cards, and searching historical past from Google Chrome, Microsoft Edge, Mozilla Firefox, and different Chromium browsers.
The malware may also steal cryptocurrency wallets, non-public keys, and textual content information with names like seed.txt, move.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, phrases, pockets.txt, *.txt, and *.pdf, as these are more likely to comprise non-public crypto keys and passwords.
This information is collected into an archive and despatched again to the attacker, the place they will use the knowledge in additional assaults or promote it on cybercrime marketplaces.
Whereas GitHub Workers has been deleting these feedback as they’re detected, folks have already reported falling for the assault.
For individuals who ran the malware, you will need to change the passwords at all of your accounts utilizing a novel password for every web site and migrate cryptocurrency to a brand new pockets.
Final month, Verify Level Analysis disclosed an analogous marketing campaign by the Stargazer Goblin menace actors, who created a malware Distribution-as-a-Service (DaaS) from over 3,000 faux accounts on GitHub to push information-stealing malware.
It’s unclear if this is similar marketing campaign or a brand new one carried out by totally different menace actors.
GitHub feedback abused to push password stealing malware masked as fixes
GitHub is being abused to distribute the Lumma Stealer information-stealing malware as faux fixes posted in mission feedback.
The marketing campaign was first reported by a contributor to the teloxide rust library, who famous on Reddit that they acquired 5 totally different feedback of their GitHub points that pretended to be fixes however have been as a substitute pushing malware.
Additional overview by BleepingComputer discovered hundreds of comparable feedback posted to a variety of tasks on GitHub, all providing faux fixes to different folks’s questions.
The answer tells folks to obtain a password-protected archive from mediafire.com or by way of a bit.ly URL and run the executable inside it. Within the present marketing campaign, the password has been “changeme” in all of the feedback we have now seen.
Reverse engineer Nicholas Sherlock informed BleepingComputer that over 29,000 feedback pushing this malware had been posted over a 3-day interval.
Supply: Andrey Brusnik
Clicking on the hyperlink brings guests to a obtain web page for a file referred to as ‘repair.zip,’ which incorporates a number of DLL information and an executable named x86_64-w64-ranlib.exe.
Supply: BleepingComputer
Working the executable on Any.Run signifies it’s the Lumma Stealer information-stealing malware.
Lumma Stealer is a complicated information stealer that, when executed, makes an attempt to steal cookies, credentials, passwords, bank cards, and searching historical past from Google Chrome, Microsoft Edge, Mozilla Firefox, and different Chromium browsers.
The malware may also steal cryptocurrency wallets, non-public keys, and textual content information with names like seed.txt, move.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, phrases, pockets.txt, *.txt, and *.pdf, as these are more likely to comprise non-public crypto keys and passwords.
This information is collected into an archive and despatched again to the attacker, the place they will use the knowledge in additional assaults or promote it on cybercrime marketplaces.
Whereas GitHub Workers has been deleting these feedback as they’re detected, folks have already reported falling for the assault.
For individuals who ran the malware, you will need to change the passwords at all of your accounts utilizing a novel password for every web site and migrate cryptocurrency to a brand new pockets.
Final month, Verify Level Analysis disclosed an analogous marketing campaign by the Stargazer Goblin menace actors, who created a malware Distribution-as-a-Service (DaaS) from over 3,000 faux accounts on GitHub to push information-stealing malware.
It’s unclear if this is similar marketing campaign or a brand new one carried out by totally different menace actors.