Gitgub Campaign: Info Stealer Targets GitHub Users

Security researchers have uncovered multiple repositories on GitHub distributing malicious software under the guise of cracked versions of popular software.

In a malicious operation dubbed “gitgub,” specialists from the German company G DATA identified 17 repositories linked to 11 different accounts that have been disseminating the info stealer RisePro, first emerging in the informational sphere in December 2022.

Experts report that all malicious repositories have already been removed from GitHub to prevent the spread of the infection.

The repositories all featured a remarkably similar design, including a “README.md” file promising free cracked software. To lend legitimacy and relevance, the perpetrators utilized green circles from the Unicode symbol system (U+1F7E2), mimicking status indicators, as well as the current date.

The range of repositories varied from software enhancing audio to tools for data recovery and protection, system optimization, and partition management. Particularly noteworthy were repositories such as “AVAST,” “AOMEI-Backupper,” “IObit-Smart-Defrag-Crack,” “Ccleaner,” “EaseUS-Partition-Master,” “Daemon-Tools,” etc. These names and brands are familiar to many Windows users and automatically engender trust among the majority.

Victims of the malicious campaign were also attracted by links to download RAR archives from the seemingly legitimate website “digitalxnetwork[.]com,” which also required a password from “README.md” for access to the installation file.

The malicious software, posing as an installer and sized at 699 MB to complicate analysis by specialized tools, actually contained only 3.43 MB of useful data. This data served as a loader for injecting the RisePro version 1.6 malware.

Meanwhile, RisePro, written in C++, specializes in collecting sensitive information from infected hosts and exporting it to the perpetrators’ Telegram channels.

According to Specops, info stealers like RedLine, Vidar, and Raccoon are becoming increasingly popular and often serve as the primary vectors for ransomware attacks and other serious data security breaches. RedLine alone has stolen over 170 million passwords in the past six months.

Flashpoint experts emphasize that the current rise in popularity of malicious information-stealing software serves as a stark reminder of the constantly evolving digital threats. The primary motivation for hackers using such software is almost always financial gain, while the accessibility and ease of use of these tools continue to increase.