June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Adobe Products Vulnerabilities
May 20, 2024
Bitter APT Group – Active IOCs
May 21, 2024
Multiple Adobe Products Vulnerabilities
May 20, 2024
Bitter APT Group – Active IOCs
May 21, 2024
Severity
High
Analysis Summary
A multifaceted campaign that impersonates reliable software such as 1Password, Bartender 5, and Pixelmator Pro has been observed to deliver a variety of banking trojans and stealer malware, including Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo. The campaign has been observed to abuse legitimate services like GitHub and FileZilla.
The existence of numerous malware variations indicates a wide-ranging cross-platform targeting approach, and the overlap in C2 infrastructure indicates a centralized command setup, which might potentially boost the attacks' effectiveness. The campaign, according to the cybersecurity company tracking the activity under the name GitCaught, not only exposes the misuse of legitimate internet services to plan cyberattacks, but also the reliance on several malware variants targeting Windows, macOS, and Android to boost the success rate.
Attack chains involve the use of GitHub repositories and phony accounts to host unauthorized copies of popular software to obtain sensitive data from infected devices. Then, various domains that are usually propagated through SEO poisoning and malvertising operations contain links to these malicious files.
The adversary behind the operation has also been seen utilizing FileZilla servers for malware management and delivery. They are thought to be threat actors from the Commonwealth of Independent States (CIS) who speak Russian. It has been established through additional examination of the disk image files on GitHub and the related infrastructure that the attacks are part of a wider campaign that has been delivering DarkComet RAT, RedLine, Raccoon, Vidar, Rhadamanthys, DanaBot, and Lumma since at least August 2023.
The fact that victims who visit the fraudulent application websites are led to payloads hosted on Bitbucket and Dropbox is another noteworthy aspect of the Rhadamanthys infection pathway. This suggests a wider exploitation of genuine services. The revelation coincides with the statement from the Microsoft Threat Intelligence team that the backdoor on macOS known as Activator, codenamed Exodus, is still a very real threat. It is spread using disk image files that mimic cracked versions of genuine software and collect information from Exodus and Bitcoin-Qt wallet apps.
It disables the Notification Center, switches off the macOS Gatekeeper, and asks the user to grant it enhanced privileges. Next, it adds these malicious scripts to the LaunchAgents folder for persistence and downloads and runs several stages of malicious Python scripts from various command-and-control (C2) domains.
Impact
- Identity Theft
- Sensitive Information Theft
- Financial Loss
Indicators of Compromise
Domain Name
- aptonic.xyz
- cleanmymac.pro
- figma.lat
- iina-app.lat
- macbartender.lat
- orbitpettystudio.fun
- parallelsdesktop.pro
- rainway.cloud
- servicescraft.buzz
- telephoneverdictyow.site
- ultradelux.buzz
MD5
- 853b0128352e2c3d43b796414c8d06bb
- 7fe1fe70879505ed991ed0171ddac0a2
- b4016a9d2c280577bae4a198c0f91504
- 04babf5296bac9ab5d26e047f0e8c781
- 6f113f5aff35f2caaf0d77d07cea8231
- 84c52cd5476b6b77239637097f57f2a0
- 01c8b2d246d88ca7cb66bcf5d2570cfc
- 2bcf087a676ec992ef9652a87b4dbce1
- d4e2a4bace502bfc1b7449fee9c9ba28
- 6396610c76354727839dcccc6b8a067e
SHA-256
- 0ae581638cedc98efb4d004a84ddd8397d1eab891fdfd836d27bd3ecf1d72c55
- 107a3addcb5fd5550b1bcd7a1c41f8e11e3911078d47ce507697f2f2993ff6d2
- 1383462f7f85b0a7c340f164472a7bd1dea39b23f674adc9999dca862346c3ef
- 152cb8b36dd023d09c742a033e76b87c6e4c2f09f6d84757001f16705eab05e7
- 16dbfb956e720b0b7c3ba5364765859f2eb1a9bf246daeeae74fb3f0d8c911da
- 17b52120268ceacf4a9d950d709b27aae11a5ddcbf60cbb9df340f0649c2849f
- 299f731437df0c0548275a35384f93ef9abfc2f020d507f4fe22f641abe5817c
- 3805cb7589da01a978e899fd4a051adec083c8543343ce637e448716cbbbcef1
- 401c113bc24701e80468047974c19c3b7936e4d34a6625ce996c12d1639de3ba
- 40f50f931029048dd6f81fc07268a5ccd5714e637206f92dea2e5a847c67dd69
SHA1
- a446e13ce123bbc0e41dc2837503bc5cab8c99ce
- 58b50e0776fb029d0da8efb6affa45c2a908bcc0
- 74dc1cf2a3cd2cb2eb8f3119ec5c0ffda3b7e04b
- 39472719de758d1a9ea90abcb47713436955b0a0
- f595da2ac1a76fe3794025a04001047e6cceb94b
- 089f4f02f0403e5230e51df194d98994a9ac0202
- 87fe07aaee59cda4a671c673c54e08b23cefed60
- a2db69f7015a25bc5776d1db9235c38b8246ecda
- 34c66a2bb9e791dec6156f8bc7a41bf592cf47fd
- 6e4295a4ecc3cfbe3aff0c57eebd4a734bfccf91
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
- Implement network segmentation to limit lateral movement for attackers within the network.
- Implement advanced email filtering to detect and block phishing emails.
- Employ updated and robust endpoint protection solutions to detect and block malware.
- Develop and test an incident response plan to ensure a swift and effective response to security incidents.
- Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
- Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
- Regularly back up critical data and ensure that backup and recovery procedures are in place.
