The Dimnie malware avoids detection by concealing its communications as it looks to steal data and passwords used by developers on GitHub
Researchers have discovered malware targeting developers using the GitHub repository in a targeted campaign that seeks to steal information and passwords.
The campaign, to which computer security researchers Palo Alto Networks were first alerted in January, puts individual developers at risk, and could also indicate that attackers are looking to manipulate software projects.
Flying under the radar
While the attackers user typical email phishing tactics to infect targets, the malware is unusual in that it appears to have been around since at least early 2014, but has avoided coming to the attention of researchers until now, Palo Alto said.
That’s in part because it previously targeted only Russian-speaking individuals, and is also due to its use of tactics that disguise its communications to avoid detection.
“During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign,” Palo Alto said in an advisory.
The malware, called Dimnie, is capable of downloading a variety of modules enabling different types of reconnaissance data theft, including keylogging and screenshots.
Dimnie camouflages the module downloads and injects them into the memory core Windows processes, making analysis difficult.
The traffic used to send data to attackers is also camouflaged, although less expertly than that of the module downloads, according to the researchers.
Furthermore, the malware is capable of self-destructing, meaning those affected might never discover it had ever been present on their systems.
Palo Alto warned developers to avoid opening suspicious email attachments.
Security expert Graham Cluley said the malware campaign appears to be aimed at stealing information from businesses.
“It seems likely that the masterminds of this attack are doing so to gather information and perhaps steal credentials that could help them access other businesses for whom the developers may be working,” he wrote in a blog post.
He said it is also possible the attackers may be looking to secretly introduce weaknesses into coding projects.
“These targeted attacks are a healthy reminder to all computer users – however technical – that they should always think twice about clicking on unsolicited attachments.”
Do you know all about security in 2017? Try our quiz!