Threat actors frequently target GitHub users because of the abundance of valuable code repositories and sensitive information stored on the platform. However, GitHub’s collaborative nature also makes it an exceptional target for surveillance by threat actors seeking to gather intelligence on organizations and their development practices.
G Data Defense cybersecurity analysts recently discovered an active Gitgub campaign aimed at stealing login credentials from GitHub users.
All about the GitHub Campaign
RisePro utilizes encrypted strings and bloated installers to thwart reverse-engineering tools. Additionally, “Gitgub” exfiltrated over 700 data archives to Telegram.
In this RisePro stealer campaign, 13 repositories featured README lures, with fake green Unicode circles mimicking build statuses to create a sense of recent activity. Typically, red and green circles on GitHub indicate real build outcomes.
The following download link remains the same across repos:-
hxxps://site/INSTALLER%20PASSWORD.rar
The user unpacks nested archives using the password “GIT1HUB1FREE,” with “Installer_Mega_v0.7.4t.msi” being the first executable. Orca reveals it unpacks the next stage with the password “LBjWCsXKUz1Gwhg,” culminating in the final payload “Installer-Ultimate_v4.3e.9b.exe.”
The 699MB Installer-Ultimate_v4.3e.9b.exe crashes analysts’ tools, displaying non-trivial bloat with high entropy and no overlay in PortexAnalyzer. The original archive, with a 70MB size, indicates a repeating pattern.
Visualization revealed repeating blocks of 0x1C0 bytes with 0x2d byte unique blocks interspersed. These repeating blocks enable compression while maintaining high entropy when unpacked.
The MICROSOFTVISUALSTUDIODEBUGGERI resource accounted for bloat data of 0x2b85418f bytes, and removing it reduced the file size from 699MB to 3.43MB.
The innoSetup signature was fake, and the file turned out to be a .NET assembly. Moreover, two #Blob and #Strings streams broke the CLI spec, which allows only one of each, while the #Schema stream wasn’t part of CLI, as indicated in the report.
Three streams had 1-byte invalid sizes pointing to the same offset, potentially confusing parsers.
The ModuleRef table references 727 DLL files with dictionary word pairs as names, except for kernel32. Additionally, the file utilizes obfuscated .NET Reactor 6 with virtualization, necessitating a custom disassembler.
The loader connects to 176.113.115.227:56385 and injects RisePro 1.6 stealer into either AppLaunch.exe or RegAsm.exe. RisePro now employs custom XOR string decryption rather than the xorstr library.
Instead of the vectorized xorstr scheme, multiple hardcoded decryption functions per string length are utilized.
Researchers decrypted RisePro’s network data using a Python script over the still-active TCP 50500 port. The configuration packet revealed grabber components, Telegram bot API token, and message template.
The Base64 packet contained zipped analysis machine data. Over 700 zipped data archives were exfiltrated to two Telegram channels. The channel names and C2 IPs suggest Russia-based operations.
Gitgub Campaign Repositories
Here below we have mentioned all the repositories that belong to the Gitgub campaign:-
- andreastanaj/AVAST
- andreastanaj/Sound-Booster
- aymenkort1990/fabfilter
- BenWebsite/-IObit-Smart-Defrag-Crack
- Faharnaqvi/VueScan-Crack
- javisolis123/Voicemod
- lolusuary/AOMEI-Backupper
- lolusuary/Daemon-Tools
- lolusuary/EaseUS-Partition-Master
- lolusuary/SOOTHE-2
- mostofakamaljoy/ccleaner
- rik0v/ManyCam
- Roccinhu/Tenorshare-Reiboot
- Roccinhu/Tenorshare-iCareFone
- True-Oblivion/AOMEI-Partition-Assistant
- vaibhavshiledar/droidkit
- vaibhavshiledar/TOON-BOOM-HARMONY
IoCs
.webp)
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment