Malware Activity
Stargazer Goblin uses GitHub for Malware Distribution-as-a-Service
Researchers at Check Point have identified a threat actor named Stargazer Goblin that has been creating and leveraging Github accounts to distribute malware since at least July 2023. Stargazer Goblin’s Distribution-as-a-Service (DaaS) network is called “Stargazers Ghost Network”, and it uses GitHub repositories to distribute malware to unsuspecting victims. Researchers at Check Point calculate that more than 3,000 active Ghost accounts comprise the DaaS network. An advertisement for the DaaS network was identified on a dark web forum first published July 8, 2023. The majority of malware seen distributed by this network are infostealers, including RedLine, Lumma Stealer, and Atlantida Stealer. The GitHub repositories hosting the malware either promote an archived file that is password protected (to evade scanning by antiviruses) or contain a link to a compromised WordPress site that hosts the malware. The Stargazer Ghost Network separates the roles of GitHub Ghost accounts to provide resilience against takedowns of the malicious repositories. One Ghost account hosts the repository with the malware, one account promotes the repository (through forking, starring, and liking the malware repository), and one account hosts a repository with the link to the malware repository. The malicious repositories use project names and tags that are related to popular interests such as social media, gaming, and cryptocurrency. While GitHub has acted against many of these fake repositories, Check Point finds that over 200 are still currently active. BleepingComputer recommends that users who arrive at a GitHub repository promoted via a secondary source (such as YouTube, Telegram, or social media) should be very cautious about which files they download or links they click. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Chinese Cyber Syndicate Linked to Money Laundering, Human Trafficking, & European Football Sponsorship
Researchers have uncovered a sophisticated cybercrime syndicate named Vigorish Viper. This group, allegedly linked to a Chinese organized crime network, is deeply embedded in the global illegal gambling economy, which is worth approximately $1.7 trillion annually. Vigorish Viper’s operations extend beyond gambling to include money laundering and human trafficking, particularly in Southeast Asia. Vigorish Viper employs a comprehensive and sophisticated technology suite that includes software, DNS configurations, website hosting, payment systems, and mobile applications. This infrastructure supports mobile betting applications and other illicit activities. The syndicate uses advanced DNS intelligence and traffic distribution systems (TDSs) to evade detection, making their operations resilient and difficult to trace. The technology underpinning Vigorish Viper was initially developed by Yabo Group, a company previously linked to significant controversies and sponsorship deals with major European football clubs, including Manchester United, Paris Saint-Germain, Bayern Munich, and AS Monaco. A report by Infoblox highlights Vigorish Viper’s connections to organized crime, showcasing how the syndicate utilizes unwitting European football clubs to advertise illegal gambling sites targeting Greater China. The Asian Racing Federation Council has linked Yabo Group to human trafficking, with trafficked individuals forced to support the company’s betting operations and engage in cyber fraud, including pig butchering scams—fraudulent schemes where victims are tricked into making fraudulent investments. Using DNS analytics, researchers identified over 170,000 active domain names associated with Vigorish Viper, revealing a vast and complex network designed to evade law enforcement. The investigation demonstrated the syndicate's use of DNS CNAME records and JavaScript to distribute traffic and maintain anonymity. The interconnected nature of various gambling brands, which appear distinct but operate as part of a franchise-like structure, underscores the need for a holistic approach to combat such threats. The discovery of Vigorish Viper represents a significant breakthrough in understanding the nexus between physical crimes like human trafficking and online cybercrime. The syndicate’s involvement in European football sponsorship scandals, where it leveraged popular sports teams to advertise illegal gambling sites in Asia, highlights the global reach and influence of their operations. Despite gambling being largely illegal in Greater China, the region sees nearly $850 billion in annual bets, illustrating the immense scale of Vigorish Viper’s activities.
Vulnerabilities
Docker Patches 5-Year-Old Critical Vulnerability After Resurfacing in Later Versions
Docker has issued security updates to address a critical vulnerability impacting certain versions of Docker Engine that could allow attackers to bypass authorization plugins (AuthZ) and potentially escalate privileges. This flaw, tracked as CVE-2024-41110, which received a CVSS score of 10/10, was originally discovered and fixed in Docker Engine v18.09.1 in 2019, but it resurfaced in later versions that were discovered in April 2024. The five (5) year old vulnerability allows attackers to exploit a specific condition where an API request with a Content-Length of zero (0) bypasses the usual body checks, causing the AuthZ plugin to potentially approve unauthorized actions. This issue affects Docker Engine versions up to v27.1.0, especially for users relying on AuthZ for access control. While Docker Desktop versions up to 4.32.0 are also affected, the risk is limited, as exploitation requires local access to the Docker API. A fix is anticipated in the upcoming Docker Desktop v4.33. This issue, along with other vulnerabilities addressed by Docker, underscores the importance of keeping container environments secure and up-to-date. CTIX analysts recommend users follow the guidance from Docker and upgrade to the latest versions or disable AuthZ plugins and restrict API access to mitigate the risk of exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
