A seed Stargazer Goblin made a Distribution-as-a-Service (DaaS) in order to deliver the malware, mostly infostealerusing more than 3,000 the account of a fake GitHub. During the course of a campaign, to the time of the last remaining cyber-used warehouse to be led to the victim, who did not doubt for a site to be compromised to WordPress. The company kaliforniane has been closed for most of the companies, but a few are still active.
Stargazers Ghost Network
DaaS, is known as the Stargazers Ghost Networkhas been active since August, 2022. Stargazer Goblin has created hundreds of storage using over 3000 accounts to be false to the GiHub. Warehouse, use the name and label of projects that show specific categories, including games, social media, and kriptovalutat. Fake accounts are divided according to the role. A cluster provides a template of phishing, one of the other offers on the image and phishing, and the third offers the malware.
Because GitHub is a lot of people, the victims, who did not suspect did not pay a lot of attention, and klikojnë on the links in the repository, typically advertised on Google+, Telegram, or YouTube. In the latter case, the connections to storage, include in the description of the video. According to Check Point, remaining broadcasting has so far gained over 100,000 dollars out of the sale of accounts (the prices also vary based on the stars to be taken).
In the campaign of the last of the malware, users are encouraged to download a ZIP archive (password-protected) from the a site to the compromised WordPress. Inside there is a file for HTA in VBScript. If it is open, skripti execute two scripts PowerShell in a row, the last of whom were dismissed by the Atlantida Stealer. The other infostealer are RedLine, Lumma Stealer, Rhadamanthys, and RisePro. GitHub has removed the majority of the accounts, but about 200 are still active.
Discussion about this post