SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
31 Mar 2017

Someone is putting lots of work into hacking Github developers

Open-source developers who use Github are in the cross-hairs of advanced malware that can steal passwords, download sensitive files, take screenshots, and self-destruct when necessary.

Dimnie, as the reconnaissance and espionage trojan is known, has largely flown under the radar for the past three years. It mostly targeted Russians until early this year, when a new campaign took aim at multiple owners of Github repositories.

One commenter in this thread reported the initial infection e-mail was sent to an address that was used solely for Github, and researchers with Palo Alto Networks, the firm that reported the campaign on Tuesday, told they have no evidence it targeted anyone other than Github developers. "Both messages appearing to be hand-crafted, and the reference to today's data in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as 'high return investments,' such as developers (possibly working on popular/open-source projects,)" someone who received two separate infection e-mails reported in the thread.

Extensive menu

The Palo Alto Networks researchers said Dimnie is a highly modular piece of software that gives attackers an extensive menu of capabilities that can be tailored to a specific target. Available functions include keylogging, the taking of screenshot, interacting with attached smartcards, extracting PC information, enumerating a list of processes running on an infected computer, and self-destructing. When sending data to attacker-controlled servers, Dimnie uses a variety of novel techniques to camouflage the data so the suspicious traffic won't be detected by network security products.

For example, Dimnie exfiltrates data using Web requests that appear to be sent to Google-owned domains. By using some slight-of-hand domain-lookup techniques, the information is actually sent to an address controlled by the attackers. Dimnie also appends purloined data to a fake image header and encrypts it.

For extra stealth, Dimnie encrypts downloaded payloads during transit and once they are received and decrypted on the other side, they are never written to the hard drive of the infected computer. Instead, Dimnie injects them directly into memory, a technique that was first seen used by nation-sponsored hackers and later adopted by financially motivated hackers.

The campaign targeting Github users starts with an e-mails that attach a booby-trapped Microsoft Word document. The file contains a malicious macro that uses PowerShell commands to download and execute the payloads. To avoid detection, the PowerShell commands are laced with extraneous characters that Windows ignores but often trick anti-malware engines into behaving as if the malicious text strings are benign.

The researchers declined to speculate who might be behind the campaign or what the motivations may be for targeting open-source developers. It's not hard to come up with plausible theories why either nation-sponsored for financially motivated hackers would want to spy on this demographic. What's clear now is that someone is devoting considerable time and expertise to make that happen.

Tags:
Github fraud information leaks
Source:
Ars Technica
1978
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015