- Jul 22, 2014
- 2,525
Developers sharing code on GitHub are being targeted in a malicious email campaign that's infecting their computers with a modular trojan known as Dimnie.
GitHub users first started noticing and complaining about these attacks at the end of January this year, but cyber-security firm Palo Alto, who's been investigating the incidents, says attacks started a few weeks prior.
GitHub users spear-phished by unknown group
Even if the malware payload (Dimnie) is somewhat rare, the attack itself is mundane and follows a classic modus operandi.
Unknown individuals start by sending selected GitHub users a recruitment email. Below are just two of the many messages used in this campaign.
....
....
Macro scripts drop new version of Dimnie trojan
The payload surprised Palo Alto experts because they discovered a new version of the Dimnie trojan, a malware downloader that has remained relatively the same since it first appeared three years ago, in 2014.
Analyzing this new version, researchers found a much more potent threat than older Dimnie versions. This new iteration came with the ability to disguise malicious traffic under fake domains and DNS requests, but also with a plethora of new modules, all of which it executed in the OS memory, without leaving a footprint on the user's disks.
This fileless behavior is what helped attackers keep a low profile. Additionally, the new modules were also very potent, granting attackers various abilities.
GitHub users first started noticing and complaining about these attacks at the end of January this year, but cyber-security firm Palo Alto, who's been investigating the incidents, says attacks started a few weeks prior.
GitHub users spear-phished by unknown group
Even if the malware payload (Dimnie) is somewhat rare, the attack itself is mundane and follows a classic modus operandi.
Unknown individuals start by sending selected GitHub users a recruitment email. Below are just two of the many messages used in this campaign.
....
....
Macro scripts drop new version of Dimnie trojan
The payload surprised Palo Alto experts because they discovered a new version of the Dimnie trojan, a malware downloader that has remained relatively the same since it first appeared three years ago, in 2014.
Analyzing this new version, researchers found a much more potent threat than older Dimnie versions. This new iteration came with the ability to disguise malicious traffic under fake domains and DNS requests, but also with a plethora of new modules, all of which it executed in the OS memory, without leaving a footprint on the user's disks.
This fileless behavior is what helped attackers keep a low profile. Additionally, the new modules were also very potent, granting attackers various abilities.
