Sophisticated Russian threat operation GitCaught has exploited GitHub and FileZilla to facilitate the deployment of several malicious payloads, including the Atomic macOS Stealer, or AMOS, as well as the Octo, Lumma, and Vidar information-stealing malware strains, Security Affairs reports.
Attacks involved the use of a GitHub profile to create a dozen domains spoofing 1Password, Pixelmator Pro, and other legitimate macOS apps, which would result in the distribution of AMOS, while a FileZilla server was utilized to distribute Python scripts and encrypted files with the Lumma and Vidar stealers, according to a report from Recorded Future's Insikt Group.
Further analysis of the campaign showed a website impersonating legitimate software that redirects to Dropbox and other file-sharing sites to enable the delivery of AMOS and the Rhadamanthys infostealer. Included in the spoofed websites was one for the already discontinued remote desktop video game streaming platform Rainway, with the fake website even topping the legitimate one in Google searches, said researchers.
