No Comments

GitHub comments exploited to distribute password-stealing malware disguised as fixes

 

GitHub is currently being misused to distribute the Lumma Stealer, an information-stealing malware, through fake fixes posted in project comments.

The campaign was at first identified by a contributor to the teloxide Rust library, who reported on Reddit that they had received five comments on their GitHub issues that appeared to be fixes but were actually spreading malware.

Further investigation by BleepingComputer uncovered thousands of similar comments across various GitHub projects, all offering fake fixes in response to user questions.

The malicious comments direct users to download a password-protected archive from mediafire.com or via a bit.ly URL, with instructions to run an executable inside it. In this campaign, the password used in the comments has consistently been “changeme.”

Reverse engineer Nicholas Sherlock informed BleepingComputer that over 29,000 such comments had been posted within a 3-day period.

Fake answer to a GitHub issue pushing the LummaStealer malware
Fake answer to a GitHub issue pushing the Lumma Stealer malware
Source: Andrey Brusnik

Clicking the link takes users to a download page for a file named ‘fix.zip’. Which contains several DLL files and an executable labeled x86_64-w64-ranlib.exe.

Archive containing the LummaStealer installer
Archive containing the Lumma Stealer installer
Source: BleepingComputer

Executing this file on Any.Run reveals it to be the Lumma Stealer, an advanced info stealer that targets:

  • cookies,
  • credentials,
  • passwords,
  • credit cards,
  • and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based browsers.

Additionally, the malware can steal cryptocurrency wallets, private keys, and text files with specific names like seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, *.txt, and *.pdf, which are likely to contain sensitive crypto keys and passwords.

The stolen data is compiled into an archive and sent to the attacker. Who can use it for further attacks or sell it on cybercrime marketplaces.

While GitHub staff have been actively removing these comments as they are discovered. Some users have already reported falling victim to the attack.

For those who have run the malware, it is crucial to change the passwords for all accounts, ensuring each site uses a unique password, and to transfer cryptocurrency to a new wallet.

Last month, Check Point Research revealed a similar campaign by the Stargazer Goblin threat actors, who leveraged over 3,000 fake GitHub accounts to distribute information-stealing malware through a Malware Distribution-as-a-Service (DaaS) model.

It remains unclear whether this is part of the same campaign or a new operation by different threat actors.

 


Source: BleepingComputer,

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.