Recently, Check Point Research observed threat actors using GitHub to achieve initial infections by utilizing new methods.
Previously, GitHub was used to distribute malicious software directly, with a malicious script downloading either raw encrypted scripting code or malicious executables. Their tactics have now changed and evolved. Threat actors now operate a network of “Ghost” accounts that distribute malware via malicious links on their repositories and encrypted archives as releases. This network not only distributes malware but also provides various other activities that make these “Ghost” accounts appear as normal users.
Read more…
Source: Check Point
Related:
- SapphireStealer: Open-source information stealer enables credential and data theft
August 31, 2023
SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022. Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related ...
- New hierarchy, heightened threat: Classiscam’s sustained global campaign
August 31, 2023
Classiscam was initially launched as a relatively straightforward scam operation. Cybercriminals created fake ads on marketplaces and classified sites, and leveraged social engineering techniques to trick users into “buying” the falsely-advertised goods or services, whether by transferring money directly to the scammers or by debiting money from the victim’s bank card. Over time, Classiscam schemes have ...
- UK: National Grid plots ‘honeypots’ to catch hackers as cyber attacks ramp up
August 30, 2023
National Grid is to set “honeypots” and plant false documents online as part of efforts to counter a surge in cyber attackers. The Grid has advertised a contract worth more than a million pounds to secure advanced cyber “deception” technology to help improve its digital defences. The London-listed infrastructure provider, which runs Britain’s electricity network and ...
- CISA and FBI Publish Joint Advisory on QakBot Infrastructure
August 30, 2023
Today, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Identification and Disruption of QakBot Infrastructure, to help organizations detect and protect against newly identified QakBot-related activity and malware. QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. Originally used ...
- Exploring the Inner Workings of DuckTail
August 30, 2023
In their persistent quest to decode DuckTail’s maneuvers, Zscaler ThreatLabz began an intelligence collection operation in May 2023. Through an intensive three-month period of monitoring, Zscaler researchers obtained critical details about DuckTail’s operational framework. This expedition granted them unprecedented visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise. Zscaler team yielded valuable ...
- For the win? Offensive research contests on criminal forums
August 29, 2023
If you’re a security researcher who wants to share your innovations and insights with the wider community (and gain some peer recognition into the bargain), you’ve got a few options: present at conferences; write papers, blogs etc. The legitimate side of the house is awash with opportunities. But what if you’re a threat actor, whose research ...