GitHub is well-known code-haring site that is mostly used by open source developers. Phishing email campaign targeting those developers was discovered recently. Cyber criminals attempted to infect computers with an advanced trojan.
This trojan goes by the name “Dimnie” and is very dangerous and advanced. It literally can do it all – collect credentials, take screenshots, operate as keylogger on bot 32 and 64 bit architectures, download files of high sensitivity, download other infections and even self-destruct.
What’s shocking that the virus was able to operate for over past three years and no one could detect it – mostly because of its’ control methods.
Scam emails targeted to GitHub users were discovered in mid January when several programmers noticed it. However, cyber security experts claim that initially this attack started a few weeks earlier before anyone could notice it.
How it works
Cyber criminals behind this phishing campaign pretend to be employers seeking for employees and send job offers to active GitHub users. Description of the job is not on the email, but users are promised to find it in the attached .doc file. That’s the main goal of scammers – to make users open that file, which happens to be malicious.
Once the victims opens attached .doc file, embedded macro code executes PowerShell command and downloads Dimnie trojan which installs automatically. Dimnie trojan is malware that can be controlled remotely so attackers can install additional malware or perform other dangerous actions.
Secret attributes of the virus allowed it to remain undetected for 3 years
It’s extremely difficult to detect Dimnie trojan because it uses HTTP Proxy requests to fake domains and DNS requests. This way it seems like they are sent to domains owned by Google, but actually it has nothing in common with Google or any other legitimate service.
Comment regarding the topic of cyber security expert from Palo Alto:
The global reach of the January 2017 campaign which we analyzed in this post is a marked departure from previous Dimnie targeting tactics. Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown.
The ability to gain access is a major threat and can cause very severe damage. Users of GitHub are prompted to be extremely careful about possible infections regarding the use of this service.
Source: http://thehackernews.com/
