Developers sharing code on GitHub are being targeted in a malicious email campaign that’s infecting their computers with a modular trojan known as Dimnie.
GitHub users first started noticing and complaining about these attacks at the end of January this year, but cyber-security firm Palo Alto, who’s been investigating the incidents, says attacks started a few weeks prior.
GitHub users spear-phished by unknown group
Even if the malware payload (Dimnie) is somewhat rare, the attack itself is mundane and follows a classic modus operandi.
Unknown individuals start by sending selected GitHub users a recruitment email. Below are just two of the many messages used in this campaign.
Hey. I found your software is online. Can you write the code for my project? Terms of reference attached below. The price shall discuss, if you can make. Answer please.
Hello, My name is Adam Buchbinder, I saw your GitHub repo and i'm pretty amazed. The point is that i have an open position in my company and looks like you are a good fit. Please take a look into attachment to find details about company and job. Dont hesitate to contact me directly via email highlighted in the document below. Thanks and regards, Adam.
The lure is always the same, a new job, which the user can study in detail if he downloads a file attachment. According to Palo Alto Networks, this email attachment is an archive, which unzips to a macro-laced Word document. The macro, if allowed to execute, will execute a series of PowerShell commands which download and install the Dimnie trojan.
Macro scripts drop new version of Dimnie trojan
The payload surprised Palo Alto experts because they discovered a new version of the Dimnie trojan, a malware downloader that has remained relatively the same since it first appeared three years ago, in 2014.
Analyzing this new version, researchers found a much more potent threat than older Dimnie versions. This new iteration came with the ability to disguise malicious traffic under fake domains and DNS requests, but also with a plethora of new modules, all of which it executed in the OS memory, without leaving a footprint on the user’s disks.
This fileless behavior is what helped attackers keep a low profile. Additionally, the new modules were also very potent, granting attackers various abilities.
For example, Dimnie operators could inject their malicious module into the process of any other application, collect various types of information from infected hosts, log keystrokes on 32-bit and 64-bit architectures, take screenshots of the user’s desktop, quietly exfiltrate stolen data to the attacker’s C&C server, and self-destruct when ordered to.
Because of its stealthy (in memory) mode of execution and ability to disguise communications behind regular traffic, researchers aren’t sure when this new version was developed and deployed in attacks for the first time. As time goes by, we might learn of other attacks that could be attributed to this malware family and its operators.
Attackers were most likely looking for a way to hack enterprises
As for its current campaign, there are multiple and obvious reasons why GitHub users were targeted. For starters, the vast majority oof GitHub users are developers and are likely employed in a similar position.
Gaining access to the computers of these individuals gives attackers a way to access the internal networks of various organizations. These computers could be used to launch reconnaissance attacks and study enterprise networks before launching other attacks.