September 4, 2024 By Jennifer Gregory 3 min read

In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts.

A highly effective malware campaign

Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that the accounts were performing malicious activities.

By targeting users who wanted to increase their followers on YouTube, Twitch and Instagram, the ghost accounts distributed malicious links through Discord channels to the GitHub repositories. Because the malicious links go to content that is starred and verified, other users assume that the repositories are legitimate. However, the high number of stars is what tipped off Check Point researchers that the accounts were suspicious.

“In a short period of monitoring, we discovered more than 2,200 malicious repositories where ‘ghost’ activities were occurring. During a campaign that took place around January 2024, the network distributed Atlantida stealer, a new malware family that steals user credentials and cryptocurrency wallets along with other personally identifiable information (PII). This campaign was highly effective, as in less than four days, more than 1,300 victims were infected with Atlantida stealer,” wrote Antonis Terefos in the Check Point Research report.

By using three GitHub accounts working together, Stargazers Ghost Network manages to avoid detection by GitHub. The attack begins when a threat actor attaches a README.md file containing a phishing download link to an external repository’s release. One account serves the phishing repository template, while another account provides the phishing image template. The third account then serves the malware as a password-protected archive in a release, which is sometimes where the attack is detected, and then the third account is banned by GitHub. If that happens, then the threat actor starts the attack again with a new link in the first account.

Explore ransomware protection solutions

Dark web payouts

As part of the investigation, Terefos also discovered another part of the scheme — using the ghost accounts to make money on the dark web. CheckPoint estimates that malicious activity between mid-May and mid-June 2024 earned the Stargazers Ghost Network approximately $8,000. Over its entire lifespan, Check Point estimates the scheme brought in around $100,000.

On July 8, 2023, Terefos’s team discovered that the Stargazers Ghost Network had taken out a banner advertisement on the dark web. Cyber criminals could “hire” the ghost account for a wide range of services on GitHub, including starring, following, forking and watching both accounts and repositories. The prices for these services varied, such as $10 for starring 100 accounts and $2 to provide a trusted account with an “aged” repository. In addition to ad banners, the cyber criminals also used another typical marketing tactic: discounting. Threat actors who spend over $500 with Stargazers Ghost Network can get a discount on the services.

GitHub takes action

After learning about the 3,000 ghost accounts, GitHub took action to stop the spread of malware. “We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” Alexis Wales, Vice President of Security Operations at GitHub, told Wired. “We have teams dedicated to detecting, analyzing and removing content and accounts that violate these policies.”

However, Check Point researchers believe that they have just uncovered the beginning of the operations for Stargazer Goblin, which is the group organizing the network. The report explains that they think the universe of ghost accounts operates across many other platforms, including YouTube, Discord, Instagram and Facebook. Because these channels can also be used to distribute links and malware through posts, repositories, videos and tweets, Check Point thinks that these accounts are operating like the GitHub scheme, meaning that this is likely just the beginning of a new tactic.

“Future ghost accounts could potentially utilize artificial intelligence (AI) models to generate more targeted and diverse content, from text to images and videos. By considering targeted users’ replies, these AI-driven accounts could promote phishing material not only through standardized templates but also through customized responses tailored to real users’ needs and interactions. A new era of malware distribution is here, where we expect these types of operations to occur more frequently, making it increasingly difficult to distinguish legitimate content from malicious material,” concluded the Check Point report.

More from News

The rising threat of cyberattacks in the restaurant industry

2 min read - The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward. Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver's…

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today