A novel cyber campaign by Russian speaking actors abused legitimate internet services, such as GitHub and FileZilla, to deploy multiple malware variants, Recorded Future has reported.
The adaptive tactics and advanced capabilities used present significant challenges in tracking and defending against this type of threat, the researchers said.
The threat actor, likely located in the Commonwealth of Independent States (CIS), strategically targeted a spectrum of operating systems (OS) and computer architectures in the credential harvesting campaign, including Windows and macOS, highlighting their adaptability to evolving technological landscapes.
This includes the deployment of Atomic macOS Stealer (AMOS), the current version of which is capable of infecting both Intel-based and ARM-based Macs.
Alexander Leslie, threat intelligence analyst at Recorded Future, told Infosecurity that this campaign is the most prominent example of a threat actor abusing legitimate services for targeting credentials across multiple platforms and architecture.
“It’s [leverage legitimate services] done out of convenience – it’s very adaptable and that’s what’s really concerning,” he said.
Users Lured into Downloading Malware
During an investigation of the AMOS stealer, Recorded Future’s Insikt Group discovered 12 websites that impersonated legitimate macOS applications, such as CleanShotX, 1Password and Bartender.
These domains all redirected users to a GitHub profile belonging to a user named “papinyurii33,” prompting them to download macOS installation media resulting in an AMOS infostealer infection.
The malicious papinyurii33 account was created on January 16, 2024, and its last observed contribution was on March 7.
No tags.
