Authored by Aayush Tyagi
Online game hacks, cracked software program, and free crypto instruments stay well-liked bait for malware authors. Not too long ago, McAfee Labs uncovered a number of GitHub repositories providing these tempting “rewards,” however a more in-depth look reveals one thing extra sinister. Because the saying goes, if it appears too good to be true, it most likely is.
GitHub is usually exploited for malware distribution attributable to its accessibility, trustworthiness, and developer-friendly options. Attackers can simply create free accounts and host repositories that seem professional, leveraging GitHub’s status to deceive customers.
McAfee Labs encountered a number of repositories, providing recreation hacks for top-selling video video games akin to Apex Legends, Minecraft, Counter Strike 2.0, Roblox, Valorant,
Fortnite, Name of Obligation, GTA V and or providing cracked variations of well-liked software program and providers, akin to Spotify Premium, FL Studio, Adobe Categorical, SketchUp Professional, Xbox Sport Cross, and Discord to call a number of.
Government abstract
These assault chains start when customers would seek for Sport Hacks, cracked software program or instruments associated to Cryptocurrency on the web, the place they’d ultimately come throughout GitHub repositories or YouTube Movies resulting in such GitHub repositories, providing such software program.
We seen a community of such repositories the place the outline of software program retains on altering, however the payload stays the identical: a Lumma Stealer variant. Each week, a brand new set of repositories with a brand new malware variant is launched, because the older repositories are detected and eliminated by GitHub. These repositories additionally embody distribution licenses and software program screenshots to reinforce their look of legitimacy.
Determine 1: Assault Vector
These repositories additionally comprise directions on learn how to obtain and run the malware and ask the consumer to disable Home windows Defender or any AV software program, earlier than downloading the malware. They supply the reasoning that, for the reason that software program is said to recreation hacks or by-passing software program authentication or crypto-currency mining, AV merchandise will detect and delete these functions.
This social engineering method, mixed with the trustworthiness of GitHub works effectively within the favor of malware authors, enabling them to contaminate extra customers.
Kids are often focused by such scams, as malware authors exploit their curiosity in recreation hacks by highlighting potential options and advantages, making it simpler to contaminate extra methods.
Technical Evaluation
As mentioned above, the customers would come throughout malicious repositories via looking the web (highlighted in crimson).
Determine 2: Web Search exhibiting GitHub outcomes.
Or via YouTube movies, that comprise a hyperlink to the repository within the description (highlighted in crimson).
Determine 3: YouTube Video containing malicious URL in description.
As soon as the consumer accesses the GitHub repository, it accommodates a Distribution license and different supporting information, to trick the consumer into considering that the repository is real and credible.
Determine 4: GitHub repository containing Distribution license.
Repositories additionally comprise an in depth description of the software program and set up course of additional manipulating the consumer.
Determine 5: Obtain directions current within the repository.
Generally, the repositories comprise directions to disable AV merchandise, deceptive customers to contaminate themselves with the malware.
Determine 6: Directions to disable Home windows Defender.
To focus on extra youngsters, repositories comprise an in depth description of the software program; by highlighting all of the options included throughout the bundle, akin to Aimbots and Pace Hacks, and the way simply they may be capable of achieve a bonus over their opponents.
They even point out that the bundle comes with advance Anti-Ban system, so their account gained’t be suspended, and that the software program has a well-liked group, to create a notion that, since a number of customers are already utilizing this software program, it have to be protected to make use of and that, by not utilizing the software program, they’re lacking out.
Determine 7: Options talked about within the GitHub repository.
The downloaded information, usually, had been Lumma Stealer variants, however observing the newest repositories, we seen new malware variants had been additionally being distributed via the identical an infection vector.
As soon as the consumer downloads the file, they get the next set of information.
Determine 8: Recordsdata downloaded from GitHub repository.
On operating the ‘Loader.exe’ file, as instructed, it iterates via the system and the registry keys to gather delicate info.
Determine 9: Loader.exe checking for Login credentials for Chrome.
It searches for crypto wallets and password associated information. It searches for a listing of browsers put in and iterates via consumer information, to collect something helpful.
Determine 10: Loader.exe checking for Browsers put in on the system.
Then the malware connects to C2 servers to switch information.
Determine 11: Loader.exe connecting to C2 servers to switch information.
This conduct is much like the Lumma Stealer variants now we have seen earlier.
Detection and Mitigation Methods
McAfee blocks this an infection chain at a number of phases:
- URL blocking of the GitHub repository.
Determine 12: McAfee blocking URLs
- Detecting downloaded malware.
Determine 13: McAfee blocking the malicious file
Conclusion and Suggestions
In conclusion, the GitHub repository an infection chain demonstrates how cybercriminals exploit accessibility and trustworthiness of well-liked web sites akin to GitHub, to distribute malware like Lumma Stealer. By leveraging the consumer’s want to make use of recreation hacks, to be higher at a sure online game or receive licensed software program at no cost, they trick customers into infecting themselves.
At McAfee Labs, we’re dedicated to serving to organizations shield themselves towards refined cyber threats, such because the GitHub repository method. Listed here are our beneficial mitigations and remediations:
- Kids are normally the prime targets for such scams, it is very important educate the younger ones and train them learn how to keep away from such fishy web sites.
- Conduct common coaching periods to teach customers about social engineering ways and phishing schemes.
- Set up and preserve up to date antivirus and anti-malware software program on all endpoints.
- Use community segmentation to restrict the unfold of malware throughout the group.
- Guarantee all working methods, software program, and functions are stored updated with the newest safety patches.
- Keep away from downloading cracked software program or visiting suspicious web sites.
- Confirm URLs in emails, particularly from unknown or surprising sources.
- Preserve antivirus options up to date and actively scanning.
- Keep away from downloading Sport hacks or Crypto software program from unofficial web sites.
- If potential, learn critiques concerning the software program you’re downloading and see what different customers are saying concerning the malware.
- Frequently patch browsers, working methods, and functions.
- Monitor the Temp folder for uncommon or suspicious information.
Indicators of Compromise (IoCs)
As of publishing this weblog, these are the GitHub repositories which can be presently energetic.
| File Sort | SHA256/URLs |
| URLs | github[.]com/632763276327ermwhatthesigma/hack-apex-1egend |
| github[.]com/VynnProjects/h4ck-f0rtnite | |
| github[.]com/TechWezTheMan/Discord-AllinOne-Software | |
| github[.]com/UNDERBOSSDS/ESET-KeyGen-2024 | |
| github[.]com/Rinkocuh/Dayz-Cheat-H4ck-A1mb0t | |
| github[.]com/Magercat/Al-Photoshop-2024 | |
| github[.]com/nate24321/minecraft-cheat2024 | |
| github[.]com/classroom-x-games/counter-str1ke-2-h4ck | |
| github[.]com/LittleHa1r/ESET-KeyGen-2024 | |
| github[.]com/ferhatdermaster/Adobe-Categorical-2024 | |
| github[.]com/CrazFrogb/23fasd21/releases/obtain/loader/Loader[.]Github[.]zip | |
| github[.]com/flashkiller2018/Black-Ops-6-Cheats-including-Unlocker-Software-and-RICOCHET-Bypass | |
| github[.]com/Notalight/h4ck-f0rtnite | |
| github[.]com/Ayush9876643/r0blox-synapse-x-free | |
| github[.]com/FlqmzeCraft/cheat-escape-from-tarkov | |
| github[.]com/Ayush9876643/cheat-escape-from-tarkov | |
| github[.]com/Ayush9876643/rust-hack-fr33 | |
| github[.]com/ppetriix/rust-hack-fr33 | |
| github[.]com/Ayush9876643/Roblox-Blox-Fruits-Script-2024 | |
| github[.]com/LandonPasana21/Roblox-Blox-Fruits-Script-2024 | |
| github[.]com/Ayush9876643/Rainbow-S1x-Siege-Cheat | |
| github[.]com/Ayush9876643/SonyVegas-2024 | |
| github[.]com/123456789433/SonyVegas-2024 | |
| github[.]com/Ayush9876643/Nexus-Roblox | |
| github[.]com/cIeopatra/Nexus-Roblox | |
| github[.]com/Ayush9876643/m0dmenu-gta5-free | |
| github[.]com/GerardoR17/m0dmenu-gta5-free | |
| github[.]com/Ayush9876643/minecraft-cheat2024 | |
| github[.]com/RakoBman/cheat-apex-legends-download | |
| github[.]com/Ayush9876643/cheat-apex-legends-download | |
| github[.]com/cIiqued/FL-Studio | |
| github[.]com/Ayush9876643/FL-Studio | |
| github[.]com/Axsle-gif/h4ck-f0rtnite | |
| github[.]com/Ayush9876643/h4ck-f0rtnite | |
| github[.]com/SUPAAAMAN/m0dmenu-gta5-free | |
| github[.]com/atomicthefemboy/cheat-apex-legends-download | |
| github[.]com/FlqmzeCraft/cheat-escape-from-tarkov | |
| github[.]com/Notalight/h4ck-f0rtnite | |
| github[.]com/Notalight/FL-Studio | |
| github[.]com/Notalight/r0blox-synapse-x-free | |
| github[.]com/Notalight/cheat-apex-legends-download | |
| github[.]com/Notalight/cheat-escape-from-tarkov | |
| github[.]com/Notalight/rust-hack-fr33 | |
| github[.]com/Notalight/Roblox-Blox-Fruits-Script-2024 | |
| github[.]com/Notalight/Rainbow-S1x-Siege-Cheat | |
| github[.]com/Notalight/SonyVegas-2024 | |
| github[.]com/Notalight/Nexus-Roblox | |
| github[.]com/Notalight/minecraft-cheat2024 | |
| github[.]com/Notalight/m0dmenu-gta5-free | |
| github[.]com/ZinkosBR/r0blox-synapse-x-free | |
| github[.]com/ZinkosBR/cheat-escape-from-tarkov | |
| github[.]com/ZinkosBR/rust-hack-fr33 | |
| github[.]com/ZinkosBR/Roblox-Blox-Fruits-Script-2024 | |
| github[.]com/ZinkosBR/Rainbow-S1x-Siege-Cheat | |
| github[.]com/ZinkosBR/Nexus-Roblox | |
| github[.]com/ZinkosBR/m0dmenu-gta5-free | |
| github[.]com/ZinkosBR/minecraft-cheat2024 | |
| github[.]com/ZinkosBR/h4ck-f0rtnite | |
| github[.]com/ZinkosBR/FL-Studio | |
| github[.]com/ZinkosBR/cheat-apex-legends-download | |
| github[.]com/EliminatorGithub/counter-str1ke-2-h4ck | |
| Github[.]com/ashishkumarku10/call-0f-duty-warz0ne-h4ck | |
| EXEs | CB6DDBF14DBEC8AF55986778811571E6 |
| C610FD2A7B958E79F91C5F058C7E3147 | |
| 3BBD94250371A5B8F88B969767418D70 | |
| CF19765D8A9A2C2FD11A7A8C4BA3DEDA | |
| 69E530BC331988E4E6FE904D2D23242A | |
| 35A2BDC924235B5FA131095985F796EF | |
| EB604E2A70243ACB885FE5A944A647C3 | |
| 690DBCEA5902A1613CEE46995BE65909 | |
| 2DF535AFF67A94E1CDAD169FFCC4562A | |
| 84100E7D46DF60FE33A85F16298EE41C | |
| 00BA06448D5E03DFBFA60A4BC2219193 | |
| C2 Domains | 104.21.48.1 |
| 104.21.112.1 | |
| 104.21.16.1 |
