Comment
Author: Admin | 2025-04-28
User accesses the GitHub repository, it contains a Distribution license and other supporting files, to trick the user into thinking that the repository is genuine and credible.Figure 4: GitHub repository containing Distribution license. Repositories also contain a detailed description of the software and installation process further manipulating the user.Figure 5: Download instructions present in the repository.Sometimes, the repositories contain instructions to disable AV products, misleading users to infect themselves with the malware.Figure 6: Instructions to disable Windows Defender.To target more children, repositories contain a detailed description of the software; by highlighting all the features included within the package, such as Aimbots and Speed Hacks, and how easily they will be able to gain an advantage over their opponents.They even mention that the package comes with advance Anti-Ban system, so their account won’t be suspended, and that the software has a popular community, to create a perception that, since multiple users are already using this software, it must be safe to use and that, by not using the software, they are missing out.Figure 7: Features mentioned in the GitHub repository.The downloaded files, in most cases, were Lumma Stealer variants, but observing the latest repositories, we noticed new malware variants were also being distributed through the same infection vector.Once the user downloads the file, they get the following set of files.Figure 8: Files downloaded from GitHub repository.On running the ‘Loader.exe’ file, as instructed, it iterates through the system and the registry keys to collect sensitive information.Figure 9: Loader.exe checking for Login credentials for Chrome.It searches for crypto wallets and password related files. It searches for a list of browsers installed and iterates through user data, to gather anything useful.Figure 10: Loader.exe checking for Browsers installed on the system.Then the malware connects to C2 servers to transfer data. Figure 11: Loader.exe connecting to C2 servers to transfer data.This behavior is similar to the Lumma Stealer variants we have seen earlier.Detection and Mitigation StrategiesMcAfee blocks this infection chain at multiple stages:URL blocking of the GitHub repository.Figure 12: McAfee blocking URLsDetecting downloaded malware.Figure 13: McAfee blocking the malicious fileConclusion and RecommendationsIn conclusion, the GitHub repository infection chain demonstrates how cybercriminals exploit accessibility and trustworthiness of popular websites such as GitHub, to distribute malware like Lumma Stealer. By leveraging the user’s desire to use game hacks, to be better at a certain video game or obtain licensed software for free, they trick users into infecting themselves.At
Add Comment