Water Curse: A Multi-Stage Malware Campaign Uncovered
Cybersecurity experts have recently unveiled a previously unrecognized threat actor, known as Water Curse, that exploits GitHub repositories to deliver sophisticated multi-stage malware.
Exploiting GitHub for Malware Distribution
The cybersecurity firm Trend Micro has conducted a thorough analysis, revealing that this emerging threat employs seemingly harmless penetration testing tools—such as SMTP email bombers and Sakura-RAT—available in malicious GitHub repositories. These repositories contain Visual Studio project configuration files, which are laced with harmful payloads designed to extract sensitive information from victims.
According to researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta, the malware facilitates the exfiltration of vital data, including user credentials, browser histories, and session tokens, while also enabling remote access and prolonged persistence within compromised systems.
Diverse Tools and Techniques
Water Curse’s approach showcases a broad and advanced arsenal, utilizing various programming languages and tools that reflect a sophisticated cross-functional development capability. This enables the group to target the software supply chain through what the researchers term "developer-oriented information stealers." These tools blur the distinctions between ethical hacking tools used by red teams and actual malware distributions.
Once activated, the malicious payloads trigger intricate infection chains marked by the use of obfuscated scripts, primarily written in Visual Basic Script (VBS) and PowerShell. These scripts download encrypted archives, extract Electron-based applications, and conduct extensive reconnaissance of infected systems.
Evasive Techniques and Long-Term Impact
The campaign employs several advanced tactics, including anti-debugging methods, privilege escalation techniques, and persistence mechanisms to ensure a lasting presence on infected machines. Additionally, PowerShell scripts are utilized to undermine host defenses and obstruct system recovery attempts.
Water Curse appears to be financially motivated, focusing on credential theft, session hijacking, and the resale of unauthorized access. Investigations have linked this threat actor to approximately 76 distinct GitHub accounts, indicating a comprehensive and organized campaign that may have been active since March 2023.
A Growing Trend of GitHub Exploitation
The strategy of using GitHub as a springboard for malware distribution isn’t novel; it has been seen in various campaigns in the past. However, Water Curse’s method—deploying a network of GitHub accounts to create harmful repositories—raises concerns, especially given its similarities to another distribution model known as the Stargazers Ghost Network.
Check Point Research has hesitated to confirm a direct connection to Stargazers Ghost Network, citing limited available data but acknowledges the use of comparable attack methodologies in previous campaigns.
Multi-Vertical Targeting Strategy
The emergence of Water Curse highlights the ongoing trend of threat actors abusing trusted platforms like GitHub to disseminate malware and orchestrate software supply chain attacks. The repositories linked to this campaign include a variety of malicious tools like evasion utilities, game cheats, cryptocurrency wallet applications, spamming bots, and credential stealers.
These varied tools reflect a comprehensive targeting strategy that intertwines cybercrime with exploitative monetization techniques, focusing on stealth, automation, and scalability.
Other Ongoing Malware Campaigns
The timely disclosure comes in the wake of other notable campaigns leveraging ClickFix techniques to spread various malware strains, including AsyncRAT and Sorillus RAT. AsyncRAT, in particular, has been increasingly utilized by unidentified threat actors, targeting a wide range of organizations since the beginning of 2024.
Experts have noted that these sophisticated tactics allow their malware to evade traditional defenses by utilizing legitimate infrastructure, such as Cloudflare’s temporary tunnels, to deliver payloads without raising alarms.
Strategic Use of Legitimate Services
Ongoing campaigns have also seen threat actors employ invoice-themed phishing emails to target organizations in several European countries. These campaigns often involve techniques like HTML smuggling to deliver malicious payloads via seemingly harmless attachments.
The effectiveness of these methods is underscored by case studies revealing that platforms like OneDrive are manipulated to ferry malware unnoticed, indicating a broader strategy that leverages well-known services to mask malicious activities.
Conclusion
As the cybersecurity landscape continually evolves, the emergence of threats like Water Curse underscores the necessity for vigilance and adaptation among individuals and organizations alike. The sophisticated use of platforms like GitHub to launch attacks serves as a reminder of the ever-present risks in the digital sphere.
