HomeNews
Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla
HomeNews
Vidar, Lumma, Atomic and Octo Delivered through GitHub, FileZilla

Researchers report about a new campaign that’s delivering a variety of malware, by exploiting GitHub, FileZilla and potentially other legitimate services. 

What’s happening? 

Adversaries are impersonating 1Password, Bartender 5, Pixelmator Pro, and other software on GitHub and FileZilla to deliver multiple threats in a massive campaign.  

The campaign uses multiple stealers, allowing it to target Windows, MacOS, and Android users. Researchers believe that hackers are centrally controlling these families from a shared C2. 

The following table shows which malware families affect which systems: 

Malware  Target system 
Vidar Windows 
Lumma Windows 
Atomic  MacOS 
Octo  Android 

Vidar and Lumma are both modern info-stealers.  

Vidar, a Malware-as-a-Service (MaaS), first appeared in the wild in 2018. Lumma is even newer — experts have known about it since late 2022 or early 2023. 

Analyze Vidar, Lumma, and other malware
in ANY.RUN sandbox 

Sign up for free

Breaking down the attack chain 

Malvertising and SEO poisoning drives victims to fake repositories made to look like legitimate software. But in reality, the repositories contain malware-infected software. 

Source: Hackernews.

Another case of GitHub abuse 

This campaign shows that hackers can exploit services users already trust. The tactic has been gaining popularity recently. Read about a new version of Redline being distributed via GitHub, and how STRRAT and VCRAT used GitHub for distribution

The same group behind this campaign also distributes Rhadamanthys malware. The infection process is similar: victims are lured to fake websites that then redirect them to malicious hosts on Bitbucket and Dropbox, where the hackers have uploaded the malware. 

Vidar — a popular threat 

Vidar has been gaining popularity as of late, according to our threat data: 

Vidar is the most common malware in ANY.RUN’s Malware Trends Tracker 

The ANY.RUN Malware Trends Tracker shows the popularity of malware families from the data that 400,000 researchers submit to our sandbox for analysis. It shows that at the time of writing Vidar’s detections have spiked. 

Analyzing Lumma in ANY.RUN 

In this anlysis session in ANY.RUN, we can see that a program called Lazesoft Recover My Password Professional Edition Setup immediately begins its malicious activities upon starting. 

It injects into the system process BitLockerToGo to evade process-based defenses and potentially elevate privileges.

Lumma sample as seen in ANY.RUN

BitLockerToGo is a feature of Microsoft’s BitLocker full-disk encryption software that specifically targets removable drives, such as USB flash drives and external hard drives. 

The malware was detected by both Yara and Suricata rules. 

Try all features of ANY.RUN sandbox
Get 14 days of free trial 

Request trial

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Advantages of ANY.RUN  

ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible. 

With ANY.RUN you can: 

  • Detect malware in under 40s. 
  • Interact with samples in real time. 
  • Save time and money on sandbox setup and maintenance 
  • Record and study all aspects of malware behavior. 
  • Collaborate with your team 
  • Scale as you need. 

Try the full power of ANY.RUN for free 

Request free trial → 

Jack Zalesskiy
Technology writer at ANY.RUN at ANY.RUN | + posts

Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.

jack-zalesskiy
Jack Zalesskiy
Technology writer at ANY.RUN
Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.

What do you think about this post?

2 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.

0 comments