- GITHUB repositories house malware disguised as tools that players, and privacy applicants can download
- The VPN false campaign leaves malware directly to Appdata and hides it from Plain View
- Process injection through msbuild.exe allows this malware to work without activating obvious alarms
Security experts have warned about a new emerging cybernetics threat that involves a false VPN software housed in Github.
A Cyfirma report describes how malware disguises itself as a “free VPN for PC” and attracts users to download what, in fact, is a sophisticated dropper for the lumma robber.
The same malware also appeared under the name “Minecraft Skin Changer”, aimed at casual players and users in search of free tools.
The sophisticated malware chain hides behind the family software bait
Once executed, the dropper uses a several stages attack chain that implies obfuscation, dynamic DLL load, memory injection and abuse of Windows legitimate tools such as MSBuild.exe and Aspnet_regiis.exe to maintain stealth and persistence.
The success of the campaign depends on its use of github for distribution. The Github repository[.]Com/samaioec organized protected zip files with detailed password and instructions for use, giving malware an appearance of legitimacy.
Inside, the payload is obfuscated with French text and codified based64.
“What begins with a free VPN Disposal download ends with a lumma robber injected into memory that operates through trusted systems processes,” Cyfirma reports.
After the execution, Elunch.exe performs a sophisticated extraction process, decoding and altering a base coded chain64 to release a DLL file, MSVCP110.dll, in the user’s Appdata folder.
This particular DLL remains hidden. It is dynamically loaded during the execution time and calls a function, Getgamedata (), to invoke the last stage of the payload.
Inverse Engineering Software is a challenge due to anti-fond strategies such as ISDEBUGGERPRESENT () and the control of control flow.
This attack uses Miter Att and CK strategies such as DLL’s lateral load, sandbox evasion and memory execution.
How to stay safe
To stay protected from attacks like this, users should avoid unofficial software, especially anything promoted as a VPN or a free game mod.
The risks increase by executing unknown repository programs, even if they appear on good reputation platforms.
GYTHUB downloaded files or similar platforms should never be trusted by default, particularly if they come as pass -protected zip files with password or include dark installation steps.
Users should never execute executables of unsecured sources, regardless of how useful the tool may seem.
Be sure to activate additional protection by disabled the ability to execute folders such as Appdata, which attackers often use to hide their useful loads.
In addition, DLL files found in Roaming or Temporary folders should be marked for greater research.
Be careful with the activity of strange files on your computer and monitor for MSBuild.exe and other tasks in the task administrator or system tools that behave out of the ordinary to prevent early infections.
At a technical level, use the best antivirus that offers a behavior -based detection instead of depending solely on traditional scanns, along with the tools that provide protection DDOS and end point protection to cover a wider range of threats, including memory injection, the creation of stealthy processes and the abuse of API.
