Ars Technica reports that malicious payloads have been deployed by a malware-as-a-service operator through the exploitation of public GitHub accounts as part of an attack campaign.
Attackers leveraged GitHub accounts to distribute the Emmenhtal malware loader, also known as PeakLight, which then launched the Amadey trojan that facilitates system data gathering and additional payload retrieval, an analysis from Cisco Talos researchers revealed. Further analysis revealed the presence of GitHub accounts that contained MP4 file-spoofing malware and the custom 'checkbalance.py' loader. GitHub has since removed the three compromised accounts reported by Cisco Talos researchers. "This distribution of several disparate malware families from a single infrastructure suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups. In addition, the command and control (C2) infrastructures for the secondary payloads do not overlap with that of Amadey," said researchers.
Attackers leveraged GitHub accounts to distribute the Emmenhtal malware loader, also known as PeakLight, which then launched the Amadey trojan that facilitates system data gathering and additional payload retrieval, an analysis from Cisco Talos researchers revealed. Further analysis revealed the presence of GitHub accounts that contained MP4 file-spoofing malware and the custom 'checkbalance.py' loader. GitHub has since removed the three compromised accounts reported by Cisco Talos researchers. "This distribution of several disparate malware families from a single infrastructure suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups. In addition, the command and control (C2) infrastructures for the secondary payloads do not overlap with that of Amadey," said researchers.
