A new series of malware attacks has occurred, and this time, the targets are the owners of Github repositories. Developers who own these repositories were a target of phishing emails that contained a malware capable of stealing data through keyloggers and modules that take screenshots.
In January 2017, several of the developers at GitHub received supposed job offer emails attached with malicious .doc files containing embedded macro. The macro executed a PowerShell command that would grab the malware from command and control center and execute itself.
Hey. I found your software is online. Can you write the code for my project? Terms of reference attached below. The price shall discuss, if you can make. Answer please.
My name is Adam Buchbinder, I saw your GitHub repo and I’m pretty amazed. The point is that I have an open position in my company and looks like you are a good fit.
Please take a look into attachment to find details about company and job. Don’t hesitate to contact me directly via email highlighted in the document below.
Thanks and regards,
It’s been discovered that the binary dropped during the attack is called Dimnie and has circulated since 2014 while targeting Russian-speaking individuals. The reasons behind this attack are still unknown, although it’s suspected that the attackers were after one or more of the projects hosted on the platform. The developers said that these projects would be an attractive target for both cybercriminals and nation-state attackers.
Senior threat researcher Brandon Levene said that the malware is a relatively unknown threat outside of the Russian-speaking world and that this is why it took them by surprise. Dimnie is known to use stealth as its specialty. It disguises its HTTP requests to the command and control infrastructure in a GET request to a defunct Google service called Google PageRank.
In order to deceive, as said by Levene, an IP address was found in a DNS lookup request preceding the GET request that as the real destination IP for the follow-up HTTP request.
Palo Alto reports that “Sending the request to an entirely different server is not complicated to achieve, but how many analysts would simply see a DNS request with no [apparent] related subsequent traffic? That is precisely what Dimnie is relying upon to evade detections.”
What this means is that Dimnie tries to appear to be a regular, legitimate traffic, which is more challenging due to the type of data that’s usually moving off the victim’s device.
The new practice that has been observed in the more recent attacks is that the payloads don’t leave any artifacts on the hard drive, but are instead injected into memory. Several modules have been discovered, some of which extract system data, enumerate running processes, keyloggers, screenshots and even a self-destruct module which deletes all files on the drive.
Despite the attack, Levene has stated that the command and control infrastructure still operates and that Dimnie continues to be used against the Russian-speakers.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.