A widespread cyber campaign has been uncovered, revealing over 200 trojanized GitHub repositories. These malicious repositories, disguised as legitimate tools and game cheats, have been targeting gamers and developers, distributing information-stealing malware and other remote access Trojans. The activity highlights a growing trend of using open-source platforms for malware distribution.

Key Takeaways

• Over 200 trojanized GitHub repositories were discovered, impersonating benign software.

• The campaign primarily targets gamers and developers seeking tools like account cleaners and game cheats.

• Malware distributed includes information stealers, remote access Trojans, and other malicious payloads.

• GitHub is increasingly being used as a vector for malware distribution, posing a significant software supply chain risk.

• Users are advised to exercise extreme caution and verify the authenticity of repositories before use.

The Banana Squad Campaign Unveiled

Cybersecurity researchers at ReversingLabs have identified a new campaign, dubbed "Banana Squad," which involves more than 67 GitHub repositories offering what appear to be Python-based hacking tools. However, these repositories deliver trojanized payloads instead. This campaign is believed to be a continuation of a rogue Python operation from 2023 that targeted the Python Package Index (PyPI) repository, leading to over 75,000 downloads of information-stealing packages.

The investigation expanded upon a November 2024 report from SANS's Internet Storm Center, which detailed a deceptive "steam-account-checker" tool on GitHub. This tool stealthily downloaded additional Python payloads designed to inject malicious code into the Exodus cryptocurrency wallet app and exfiltrate sensitive data.

GitHub as a Malware Distribution Hub

This discovery underscores a growing trend of threat actors leveraging GitHub as a primary platform for malware distribution. Other recent campaigns highlight this concern:

• Water Curse: Trend Micro uncovered 76 malicious GitHub repositories operated by a threat actor named Water Curse. These repositories distribute multi-stage malware designed to siphon credentials, browser data, and session tokens, while also providing persistent remote access.

• Stargazers Ghost Network: Check Point revealed a criminal service targeting Minecraft users with Java-based malware. This network comprises numerous GitHub accounts that propagate malware and malicious links through phishing repositories, using tactics like starring, forking, and subscribing to make malicious repositories appear legitimate.

• Backdoored Repositories for Cybercriminals: Even novice cybercriminals seeking readily available malware on GitHub are being targeted. Sophos reported on the trojanized Sakura-RAT repository, which infected users who compiled the malware with information stealers and other RATs.

Sophisticated Distribution Methods

The identified trojanized repositories act as conduits for various backdoors embedded within Visual Studio PreBuild events, Python scripts, screensaver files, and JavaScript. These backdoors are capable of stealing data, taking screenshots, communicating via Telegram, and fetching additional payloads such as AsyncRAT, Remcos RAT, and Lumma Stealer.

Sophos has detected at least 133 backdoored repositories within this campaign, with 111 containing the PreBuild backdoor. This activity is likely linked to a distribution-as-a-service (DaaS) operation active since August 2022, which has utilized thousands of GitHub accounts to distribute malware disguised as gaming cheats, exploits, and attack tools. While the exact distribution methods remain unclear, it is suspected that Discord servers and YouTube channels are also used to spread links to these malicious repositories.

Protecting Against Supply Chain Attacks

Robert Simmons, a researcher at ReversingLabs, emphasizes the increasing prevalence of backdoors and trojanized code in public source code repositories like GitHub, highlighting them as a growing software supply chain attack vector. He advises developers to always double-check that a repository contains what they expect. As these campaigns evolve, the focus may shift beyond inexperienced cybercriminals and gamers, making vigilance crucial for all users of open-source platforms.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• 200+ Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers, The Hacker News.