The Hidden Menace of Phantom Attackers on GitHub by Stargazers Ghost Network

Key Summary

1. Never Seen Before Discovery: Check Point Research has uncovered the Stargazers Ghost Network, a sophisticated operation of ghost accounts on GitHub distributing malware through phishing repositories, marking the first time such an operation has been identified on this platform.
2. Significant User Impact: The malicious repositories target a wide range of users, including social media enthusiasts, gamers, and cryptocurrency holders, which could possibly be leveraged in attacks of severe consequences such as ransomware infections, stolen credentials, and compromised cryptocurrency wallets.
3. Broader Community Implications: The network’s Distribution as a Service (DaaS) model provides a platform for other threat actors, impacting the wider community.

The cyber-crime landscape is constantly evolving, threat actors find new sophisticated ways to infect victims, get access to sensitive information, and cause harm. GitHub is a platform owned by Microsoft which is commonly used to host open-source software development projects. It is the world’s largest source code host with over 100 million developers, more than 420 million repositories, and 14 million visitors per day. GitHub is a crucial tool for a variety of users – from government agencies at the state and local level to collaborate, software engineers, programmers to developers and coding students. Companies and educational institutions are also known to leverage GitHub to make coding tasks easier, faster, and more streamlined.

Check Point Research has uncovered the first network of Ghost accounts operating on GitHub. This network of accounts, known as Stargazers Ghost Network, distributes malware and malicious links through phishing repositories of fake accounts. This type of operation, where fake accounts are instrumented to organically perform phishing attacks to distribute malware, has never been seen before.

Check Point Research discovered that the operator of this Ghost network was an individual known as Stargazer Goblin.  This hacker and the new network this threat actor had created was first discovered through an advertisement in dark web forums in June 2023, where the actor is providing the pricelist of each action that could be taken. However, through some other actions, we deduce that the possible start of the network is August 2022.

Figure 1 – Malicious GitHub Repository.

The sophistication of this network lies in its ability to make malicious repositories appear legitimate through actions like  starring (“liking”), forking (“retweeting”), and subscribing.

Figure 2 – Network roles.

Figure 3 – Stargazer GitHub account.

Those repositories use phishing templates and tags that are highly victim-oriented, targeting users with various interests in social media, gaming, cryptocurrency, and many others. Such types of operations can create a significant impact as they are heavily victim-oriented, making infections of such victims even more severe with  victims facing threats such as  Ransomware infections to stolen credentials and compromised cryptocurrency wallets.

Those GitHub repositories currently target mainly Windows users, though similar malware distribution methods can be used to target Linux or Android users, all of whom also have large user databases, marking a greater impact on the community.

Broader Implications for the Community

Based on monitored campaigns and accounts from mid-May to mid-June, in less than a month, we have calculated that Stargazer Goblin earned approximately $8,000. The economic toll of these operations is considerable as considering the first time making the publication in June 2023 and the possible start of the network is August 2022, we estimate that this has made more than $100,000 during his operations of more than 3,000 GitHub Ghost accounts.

Figure 4 – Forum advertisement with prices.

This network operates a Distribution as a Service (DaaS) network providing a platform for other potential threat actors to provide Stargazer Goblin their malicious links or malware to be distributed via malicious phishing templates on GitHub repositories. The network has been distributing all sorts of malware families, with notable mentions of Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

Figure 5 – Atlantida Stealer attack chain.

Check Point Research identified a YouTube Ghost account that was distributing malicious links via video. We consider it highly probable that GitHub Ghost accounts are just the tip of the iceberg and only one part of the grand picture, with other Ghost accounts operating on other Platforms like Twitter, YouTube, Discord, Twitch, Instagram, and others. This suggests a much larger Distribution as a Service universe that could spread across multiple platforms, potentially infecting and impacting a significantly greater number of users within the wider digital community.

Figure 6 – YouTube Ghost account malicious video.

The Need for Vigilance

Check Point advises users of GitHub to be wary of links leading to GitHub and repositories that provide download links containing executables. Even reputable repositories could distribute malware as we have observed some of them being “infected” with malicious download links. We consider highly suspicious any commits which only change or add links into a repository.