Cybersecurity researchers have exposed previously unknown threat actors known as the water curse that relied on GitHub repositories weaponized to provide multi-stage malware.
“Malware enables data stripping (including credentials, browser data, and session tokens), remote access, and long-term persistence of infected systems,” Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy and Gabriel Nicoleta said in an analysis published this week.
The “wide and sustainable” campaign, first discovered last month, set up a repository that provides seemingly harmless penetration testing utilities, but features malicious payloads in visual studio project configuration files such as SMTP mail bombers and Sakura-Rat.
Water Curse’s Arsenal incorporates a wide range of tools and programming languages, highlighting cross-function development capabilities and targeting the supply chain “developer-oriented information steelers that blur the line between red team tools and active malware distribution.”
“When executed, the malicious payload started a complex multi-stage infection chain using visual basic scripts (VBS) and obfuscated scripts written in PowerShell,” the researchers said. “These scripts downloaded encrypted archives, extracted electronic-based applications, and performed extensive system reconnaissance.”
Attacks are also characterized by the use of preventive prevention techniques, privilege escalation methods, and sustaining mechanisms to maintain the long-term scaffolding of affected hosts. PowerShell scripts are also employed to weaken host defenses and block system recovery.
The water curse is described as a financially motivated threat actor driven by theft of qualifications, hijacking sessions, and resale of illegal access. Up to 76 GitHub accounts are linked to the campaign. There is evidence suggesting that related activities may go back all the way back to March 2023.
The emergence of Water Curse is the latest example of how trust associated with legitimate platforms like GitHub is a threat as a delivery channel for malware and stage software supply chain attacks.
“These repositories include malware, avoidance utilities, game cheats, AIMBOTS, cryptocurrency wallet tools, OSINT scrapers, spam bots, and qualification theft,” Trend Micro said. “This reflects a multi-transforming targeting strategy that combines cybercrime with opportunistic monetization.”
“Their infrastructure and behavior demonstrate that they focus on stealth, automation and scalability through aggressive removal through Telegram and public file sharing services.”
This disclosure is due to the observation of multiple campaigns that utilized popular Clickfix strategies for deploying various malware families such as Asyncrat, Deerstealer (via a loader named Hijack Loader), Filch Stealer, Lightperlgirl, and Sectoprat (via Hijack Loader).
Asyncrat has been one of many easily available remote access trojans (rats) used by unidentified threat actors since early 2024, indiscriminately targeting thousands of organizations across multiple sectors.
“This commercial allows malware to bypass traditional perimeter defenses, particularly by using temporary CloudFlare tunnels to provide payloads from seemingly legitimate infrastructure,” says Halcyon. “These tunnels provide attackers with ephemeral, unregistered subdomains that they believe are reliable for boundary control, making pre-blocking or blacklisting difficult.”
“Because infrastructure is dynamically spin-up through legitimate services, defenders face challenges in distinguishing malicious use from authorized DevOps or IT maintenance workflows. This tactic allows threat actors to provide payloads without relying on compromised servers or bulletproof hosting, increasing both campaign scale and stealth.”
The findings also deliver named soril slats (aka rat rats) with bill-themed fishing lats, along with the discovery of continuous malicious campaigns targeting a variety of European organizations in Spain, Portugal, Italy, France, Belgium and the Netherlands.
Previous campaigns to distribute malware used income tax returns to pick accounting and tax experts. Some of them use HTML smuggling technology to hide malicious payloads.
The attack chain detailed by Orange Cyberdefense will trick the recipient into embracing a similar phishing email aimed at opening PDF attachments containing a OneDrive link pointing to PDF files hosted directly on the cloud storage service, and then clicking the “Open Document” button on the user.
In doing so, victims will redirect to a malicious web server that acts as a traffic distribution system (TDS) to evaluate incoming requests and determine whether they need to take them further to the next stage of infection. If the victim’s machine meets the required criteria, they will be displayed benign PDFs and JAR files will be secretly downloaded to run by dropping Solillus rats.
Sorillus, a Java-based rat that first surfaced in 2019, is a cross-platform malware that can collect sensitive information, download/upload files, take screenshots, record audio, perform log keystrokes, execute arbitrary commands, and even register the uninstall itself. It’s also not helpful that many rack versions of the Trojan horse are available online.
The attack is rated as part of a wide range of campaigns that have been observed to provide Sambaspy to Italian users. Sambaspy belongs to the Sorillus Malware family for each orange Cyberdefense.
“This operation introduces a strategic fusion of legitimate services such as OneDrive, MediaFire, tunnel platforms such as Ngrok and LocalTonet, and avoids detection,” the cybersecurity company said. “Repeat use of Brazilian Portuguese on payloads supports the possibility of attribution to Brazilian-speaking threat actors.”
Source link
