Attackers are launching a large-scale malware distribution campaign that exploits trusted platforms like GitHub and FileZilla, by impersonating popular software (e.g., 1Password, Bartender 5) on these platforms to trick users into downloading malware-laden files.
The campaign targets a wide range of devices (Windows, macOS, and Android) by employing a combination of stealer malware variants, as researchers suspect a centralized command-and-control (C2) server manages these different malware families, indicating a coordinated effort.
The table highlights the target systems for various malware families, as Windows systems are susceptible to both Vidar and Lumma, which are modern information stealers.
Vidar, a malware-as-a-service (MaaS) offering, first appeared in 2018, while Lumma is a much more recent threat that security researchers only discovered in late 2022 or early 2023, which suggests a trend of more recently developed malware targeting Windows machines.
Additionally, the table reveals Octo as a malware family specifically designed to target the Android operating system, showcasing the diversification of malware across different platforms.
Attackers employ a two-pronged approach to trick users into downloading malware. First, they manipulate search engine rankings (SEO poisoning) to place malicious advertisements (malvertising) at the top of search results for common software.
These ads mimic legitimate software providers and dupe users into clicking, and clicking on the ad leads to a fake software repository that closely resembles the real one, which unknowingly distributes malware-laced software to unsuspecting users.
Hackers are increasingly exploiting trusted platforms like GitHub for malware distribution as a new campaign distributes Redline Stealer, following a similar tactic used previously with STRRAT and VCRAT.
The method involves luring victims to fraudulent websites that redirect them to malicious payloads hosted on Bitbucket and Dropbox, which highlights the growing trend of abusing legitimate services to bypass security measures.
400,000 researchers use the malware sandbox platform ANY.RUN, and analysis data shows a spike in Vidar detections, indicating Vidar malware is spreading more widely.
Their Malware Trends Tracker monitors malware submissions for analysis, providing insight into malware family popularity, while the recent spike in Vidar detections within this tracker signifies its rise as a prominent threat.
Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!