- Github standards host malware disguised as tools that players and privacy seekers are likely to download
- The false VPN campaign directly leaves malware in Appdata and cache from sight
- Process injection via msbuild.exe allows this malware to operate without triggering obvious alarms
Safety experts warned against a new emerging cyber-menace involving false VPN software hosted on Github.
A Cyfirma report describes how malicious software is disguised as a “free VPN for PC” and attracts users to download what is, in fact, a sophisticated dropper for Lumma thief.
The same malware has also appeared under the name of “Minecraft skin changer”, targeting occasional players and users looking for free tools.
The sophisticated malicious software chain hides behind familiar software baits
Once executed, the dropper uses an attack chain in several stages involving the obscure, dynamic DLL loading, memory injection and legitimate Windows tool abuse such as msbuild.exe and aspnet_regiis.exe to maintain stealth and persistence.
The success of the campaign depends on its use of Github for distribution. The GitHub of the repository[.]Com / Samioec hosted zip files protected by password and detailed instructions for use, giving malicious software an appearance of legitimacy.
Inside, the payload is obscured with French text and coded in the base64.
“What starts with a free VPN download ends with a Lumma thief injected with memory operating via confidence system processes,” reports Cyfirma.
During the execution, Launch.exe performs a sophisticated, decoding and modifying extraction process, a coded base64 chain to delete a DLL, MSVCP110.dll file, in the user appdata folder.
This particular DLL remains hidden. It is dynamically loaded during execution and calls a function, Getgamedata (), to invoke the last step of the payload.
Converse engineering The software is difficult due to anti-debt strategies such as isdebuggerpresent () checks and controls the obscure of the flow.
This attack uses ATT & CK strategies in Mitre such as lateral DLL loading, sand escape and memory execution.
How to stay safe
To remain protected from attacks like this, users must avoid unofficial software, especially everything that is promoted as a VPN or a free game mod.
The risks increases during the execution of unknown programs from benchmarks, even if they appear on renowned platforms.
Files downloaded from GitHub or similar platforms should never be reliable by default, especially if they come as zip closets protected by password or include dark installation steps.
Users should never execute executables from undeclaged sources, regardless of the utility of the tool.
Make sure to activate additional protection by deactivating the possibility for executables to run files like Appdata, which attackers often use to hide their useful charges.
In addition, DLL files found in itinerant or temporary folders must be reported for a more in -depth survey.
Pay attention to the activity of strange files on your computer, and monitor msbuild.exe and other tasks in the task manager or system tools that behave out of the ordinary to avoid early infections.
Technically, use the best antivirus that offers behavior -based detection instead of relying solely on traditional analyzes, as well as tools that offer DDOS protection and terminal protection to cover a wider range of threats, including memory injection, creative process and API abuse.
