Threat Research

GitHub Abused to Spread Malware Disguised as Free VPN

Cyfirma
GitHub Abused to Spread Malware Disguised as Free VPN

This report analyzes a malware campaign hosted on GitHub that disguises the Lumma Stealer payload as legitimate tools like “Free VPN for PC” and “Minecraft Skin Changer.” The malware uses advanced obfuscation, process injection, and DLL side-loading techniques to evade detection while communicating with multiple C2 domains. #LummaStealer #GitHubMalware #LaunchExe

Keypoints

  • Threat actors hosted malware on GitHub disguised as free software tools targeting users seeking VPNs or game mods.
  • The primary malware dropper, Launch.exe, uses Base64 encoding and obfuscation with French text padding to hide its payload.
  • The dropped DLL, msvcp110.dll, employs anti-debugging techniques and injects Lumma Stealer into legitimate Windows processes like MSBuild.exe.
  • Malware communicates with multiple C2 domains including explorationmsn.store and several .sbs domains linked to Lumma Stealer infrastructure.
  • The campaign leverages process injection, DLL side-loading, and stealth execution to evade detection and maintain persistence.
  • Technical analysis included static and dynamic examination, revealing API usage such as LoadLibrary and VirtualAlloc for payload execution.
  • Recommendations include blocking known C2 domains, monitoring for suspicious DLL activity, enforcing execution restrictions, and applying YARA rules for detection.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malware is distributed via GitHub repository disguised as legitimate software.
  • [T1059] Command and Scripting Interpreter – Malware uses P/Invoke and Windows API calls to execute malicious code.
  • [T1574.002] DLL Side-Loading – The dropped DLL msvcp110.dll is loaded dynamically by replacing a letter in the filename to evade detection.
  • [T1036] Masquerading – The malware disguises itself as free VPN and Minecraft skin tools to deceive users.
  • [T1497] Virtualization/Sandbox Evasion – Uses IsDebuggerPresent() and excessive control flow to hinder analysis.
  • [T1140] De-obfuscate/Decode Files or Information – Base64 encoded payload is decoded and transformed in multiple stages.
  • [T1027] Obfuscated Files or Information – The payload is obfuscated with meaningless French text and complex transformations.
  • [T1124] System Time Discovery – The malware performs system time checks during execution.
  • [T1010] Application Window Discovery – Used to detect the presence of analysis environments.
  • [T1018] Remote System Discovery – Attempts to identify remote systems potentially for lateral movement.
  • [T1083] File and Directory Discovery – Accesses AppData directories to drop payloads.
  • [T1082] System Information Discovery – Gathers system-related information to aid execution.
  • [T1560] Archive Collected Data – Implied in data exfiltration capabilities of Lumma Stealer.
  • [T1573] Encrypted Channel – Communication with C2 domains over encrypted connections.
  • [T1105] Ingress Tool Transfer – Transfers payloads into compromised systems.
  • [T1095] Non-Application Layer Protocol – Uses obscure network protocols for C2 communication.
  • [T1071] Application Layer Protocol – Employs standard protocols for command and control traffic.

Indicators of Compromise

  • [File Hash] Executable Launch.exe – SHA256: acbaa6041286f9e3c815cd1712771a490530f52c90ce64da20f28cfa0955a5ca
  • [File Hash] DLL msvcp110.dll – SHA256: 15b644b42edce646e8ba69a677edcb09ec752e6e7920fd982979c714aece3925
  • [Domain] Command & Control – explorationmsn.store, snailyeductyi.sbs, ferrycheatyk.sbs, deepymouthi.sbs, and other .sbs domains

Read more: https://www.cyfirma.com/research/github-abused-to-spread-malware-disguised-as-free-vpn/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint