GitHub user attachments abused to spread novel infostealer

Attackers are abusing GitHub user attachments to distribute ZIP archives containing a novel malware loader and infostealer,Cyderes reported Thursday.The campaign leverages legitimate GitHub content delivery network (CDN) infrastructure to host and distribute the malware via user attachment links.The malicious ZIP archives, with names including installer.zip and Eclipsyn.zip, contain several signed modules and executables necessary to sideload the loader dubbed “Direct-Sys Loader” and ultimately deploy the infostealer “CGrabber Stealer,” according to Cyderes Howler Cell researchers.The attack chain begins with sideloading of a dynamic link library (DLL) called msys-crypto-3.dll via the legitimate Microsoft-signed executable Launcher_x64.exe. This launches Direct-Sys Loader, which performs three separate anti-sandbox and anti-analysis checks before decrypting and executing the next-stage shellcode.The first check looks for the presence of a text file named 12345.txt and terminates if the file is discovered. The second check decrypts a list of 67 process names associated with binary analysis, sandboxes and debugging tools, compares this list to all active processes and terminates if it finds a match.  The final check decrypts a list of four display device strings associated with hypervisors and analysis environments and terminates if the target’s display device information matches any of these strings.Related reading:If all of these checks pass, the loader decrypts the next-stage shellcode in memory and executes it via direct syscall stubs for three WIN32 APIs to evade traditional endpoint defenses that would otherwise detect these API calls. The loader uses the ChaCha20 algorithm with a hardcoded key and nonce for decryption.The shellcode decompresses and reflectively loads a portable executable (PE) into memory that serves as an additional loader with similar function to Direct-Sys, performing the same evasion checks and using the same ChaCha20-based decryption routine.However, this loader uses a distinct asynchronous procedure call (APC) based process injection technique to inject additional shellcode into the legitimate Microsoft-signed executable Dllhost.exe. Like the previous shellcode, this next stage decompresses a PE in memory, which delivers the final CGrabber Stealer payload.CGrabber Stealer collects information on all active processes, storying them in the in-memory file “ProcessList.txt” and also collects system and user information into the in-memory file “UserInformation.txt.” Active processes are compared to a list of antivirus and security product identifiers, with matches also added to UserInformation.txt.The same three anti-analysis checks are performed for a third time, along with a check for whether the machine is running in a Commonwealth of Independent States (CIS) locale and a check for a mutex indicating the stealer is already running. If any of these checks fail, the stealer terminates quietly.If all checks pass, the stealer establishes a connection with a remote command-and-control (C2) server and proceeds to harvest data from a wide range of browsers, applications, files and cryptocurrency wallets.This includes both Chromium- and Gecko-based browsers, more than two dozen cryptocurrency desktop applications, about 200 browser extensions including crypto wallets and password vaults, eight VPN applications, five file sharing applications, four mail clients, seven password manager applications, seven game launchers, more than 40 sensitive or cryptocurrency-related file types and eight social and messaging applications including Telegram and Discord.  The collected data is encrypted using ChaCha20 with a randomly generated 12-byte nonce and a key based on the SHA-256 hash of the C2 URL. The data is aggregated in a ZIP archive and sent via a POST request to the C2 endpoint /api/upload/complete or sent in 1MB chunks to the /api/upload/chunk endpoint if the archive size exceeds 1MB.Cyderes Howler Cell researchers believe the novel loader and stealer were created by the same developer based on similar encryption routines and anti-analysis measures used by both.Organizations can defend against this malware by monitoring for syscall stubs in memory, suspicious DLL sideloading activity, outbound POST requests to the attacker’s C2 endpoints and in-memory patching of Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) APIs, another evasive measure leveraged in this campaign.“The Direct-Sys Loader and CGrabber Stealer represent a cohesive, multi-stage, stealth-focused malware ecosystem engineered with advanced detection-evasion capabilities. The toolset demonstrates careful operational planning: signed binary sideloading, multi-level anti-sandboxing, direct syscalls, reflective loading, and API patching all serve to minimize telemetry and evade both behavioral and signature-based defenses,” the researchers concluded.