A cybercrime group of Brazilian origin has resurfaced after more than three years and organized a campaign targeting Minecraft players using a new stealer called LofyStealer (also known as GrabBot).
“This malware disguises itself as a Minecraft hack called ‘Slinky,'” Brazil-based cybersecurity firm ZenoX said in a technical report. “It exploits young users’ trust in the gaming scene by using the game’s official icon to induce spontaneous execution.”
We have high confidence that this activity is the work of the threat actor known as LofyGang. The attacker was observed leveraging typosquatting packages on the npm registry in 2022 to push stealer malware specifically to siphon credit card data and user accounts related to Discord Nitro, games, and streaming services.
The group is believed to have been active since late 2021, promoting its tools and services on platforms such as GitHub and YouTube, while contributing to underground hacking communities under the alias DyPolarLofy, and has compromised thousands of Disney+ and Minecraft accounts.
“Minecraft has been a target of LofyGang since 2022,” Acassio Silva, co-founder and head of threat intelligence at ZenoX, told The Hacker News. “They have leaked thousands of Minecraft accounts on Cracked.io under the alias DyPolarLofy. The current campaign is directly tracking Minecraft players through a fake ‘Slinky’ hack.”
The attack begins with a Minecraft hack and, when launched, triggers the execution of a JavaScript loader that is ultimately responsible for deploying LofyStealer (‘chromelevator.exe’). This loader is ultimately responsible for deploying LofyStealer (‘chromelevator.exe’) on the compromised host and runs directly in memory. Its purpose is to collect a wide range of sensitive data across multiple web browsers including Google Chrome, Chrome Beta, Microsoft Edge, Brave, Opera, Opera GX, Mozilla Firefox, and Avast Browser.
The collected data, including cookies, passwords, tokens, cards, and international bank account numbers (IBANs), is exfiltrated to a command and control (C2) server located at 24.152.36.[.]241.
“Historically, the main vector for this group has been the JavaScript supply chain, including typosquatting of NPM packages, starjacking (false references to legitimate GitHub repositories to exaggerate credibility), and payloads embedded in sub-dependencies to evade detection,” ZenoX said.
“The focus was the theft of Discord tokens, modification of the Discord client for credit card interception, and exfiltration via webhooks exploiting legitimate services (Discord, Repl.it, Glitch, GitHub, and Heroku) as C2.”
The latest development marks a departure from the previously observed tradecraft and a move towards a malware-as-a-service (MaaS) model with free and premium tiers, as well as a bespoke builder called Slinky Cracked used as a delivery vehicle for stealer malware.
This disclosure comes as threat actors increasingly exploit the trust associated with platforms like GitHub to host fake repositories that serve as fodder for malware families such as SmartLoader, StealC Stealer, and Vidar Stealer. Unsuspecting users are lured to these repositories through techniques such as SEO poisoning.
In some cases, attackers have been found to spread Vidar 2.0 through Reddit posts promoting fake Counter-Strike 2 game cheats, redirecting victims to malicious websites that deliver ZIP archives containing the malware.
“This information theft campaign highlights the ongoing security challenge of widely trusted platforms being exploited to distribute malicious payloads,” Acronis said in an analysis published last month. “By leveraging social trust and common download channels, attackers can often bypass traditional security solutions.”
This finding adds to a growing list of campaigns powered by GitHub in recent months.
It directly targets developers within GitHub and uses fake Microsoft Visual Studio Code (VS Code) security alerts posted through discussions to trick users into clicking on a link and installing malware. “GitHub discussions trigger email notifications for participants and observers, so these posts are also delivered directly to developers’ inboxes,” Socket said. “This extends the scope of the campaign beyond GitHub itself, making the alerts appear more legitimate.” They use spear-phishing emails to target Argentina’s judicial system and distribute compressed ZIP archives that use an intermediate batch script to retrieve a remote access Trojan (RAT) hosted on GitHub. Creating a GitHub account and an OAuth application, then opening an issue that mentions the targeted developer triggers an email notification that tricks the developer into authenticating the OAuth app, effectively allowing the attacker to obtain an access token. This issue is intended to create a false sense of urgency and alert users about unusual access attempts. Malicious GitHub repositories are used to distribute malicious batch script installers disguised as legitimate IT and security software, leading to the deployment of the TookPS downloader, which then initiates a multi-step infection chain to establish persistent remote access using SSH reverse tunnels and RATs such as MineBridge RAT (also known as TeviRAT). This activity is believed to be by Rift Brigantine (aka FIN11, Graceful Spider, TA505). Fake GitHub repositories disguised as AI tools, game cheats, Roblox scripts, phone number location trackers, and VPN crackers are used to distribute LuaJIT payloads that act as general-purpose Trojans as part of a campaign called TroyDen’s Lure Factory.
“The breadth of lure factories, including game cheats, developer tools, phone trackers, Roblox scripts, and VPN crackers, suggests that the attackers are optimizing for overall audience volume rather than precise targeting,” Netskope said.
“Defenders should treat GitHub-hosted downloads that combine renamed interpreters and opaque data files as high-priority triage candidates, regardless of how legitimate the surrounding repositories appear.”
Source link
