Phishing emails zeroing in on developers who own Github repositories were infecting victims with malware capable of stealing data through keyloggers and modules that would snag screenshots.
Researchers at Palo Alto Networks this week said that in mid-January, an unknown number of developers were targeted with emails purporting to be job offers. The attachments instead carried malicious .doc files containing an embedded macro. The macro executed a PowerShell command that would grab malware from a command and control site and execute it.
The binary dropped by the PowerShell script used in the attacks, senior threat researcher Brandon Levene said, is called Dimnie and has been in circulation since 2014 targeting primarily Russian-speaking targets. This is the first time Dimnie has been used to target developers with Github repositories. Levene said it’s unknown how widespread the January campaign was or why developers were targeted, but given the vast number of projects hosted on the platform, it would likely be an attractive target for either criminals and nation-state attackers.
“We didn’t uncover specific evidence in our research that speaks to attribution. In the past, Dimnie had a penchant for targeting Russian-language speakers, but we believe that is most notable here because we believe that enabled it to be a relatively unknown threat outside of the Russian-speaking world,” Levene said.
Dimnie specializes in stealth, disguising its HTTP requests to the command and control infrastructure in a GET request to a defunct Google service called Google PageRank. Levene said an IP address was found in a DNS lookup request preceding the GET request that was the real destination IP for the follow-up HTTP request.
“Sending the request to an entirely different server is not complicated to achieve, but how many analysts would simply see a DNS request with no [apparent] related subsequent traffic? That is precisely what Dimnie is relying upon to evade detections,” Palo Alto said in its report.
The same tactic is used when exfiltrating data as the real request is camouflaged in a POST request to Google. Dimnie tries to appear to be legitimate traffic, but this is more challenging given the types of data moving off the victims’ machines.
As is the case with more and more of these types of attacks, the payloads don’t leave artifacts behind on the hard drive, and are instead injected into memory. Nine modules were discovered, including some that extract system data, enumerate running processes, keyloggers, screenshots and a self-destruct module that deletes all files on the local drive.
Levene said the command and control infrastructure is still active and that Dimnie continues to be used against Russian-speaking targets.
“By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like,” Palo Alto said. “This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown.”