- GITHUB repository hosts disguise Malware as the equipment that is likely to download gamers, and privacy-wishes
- Fake VPN campaign directly drops malware into Appdata and hides it from plain view
- The process injection through msbuild.exe allows this malware to operate without triggering clear alarm
Security experts have warned of a new cyber threat to fake VPN software hosted on Github.
A report from Malevolent How the malware tells itself as “free VPN for PC” and motivates users to download, which is a sophisticated dropper for Lumma Staller.
The same malware also appeared under the name “Minecraft Skin Changer”, which targets gamers and casual users in search of free equipment.
Sophisticated malware chain hides behind familiar software fodder
Once executed, the dropper uses a multi-stage attack chain that misuse legitimate Windows Tools like Obuction, Dynamic DLL loading, memory injection, and msbuild.exe and aspnet_regiis.exe, which maintains a rude and firmness.
The success of the campaign rests on the use of Github for distribution. Repository github (.) Com/samaioec hosted the password-protected zip files and detailed use instructions, leading to the presence of validity to malware.
Inside, the payload is encoded with French text and the base 64.
“Starts with a deceptive-free VPN download ends with a memory-injected lumma steeler working through a reliable system procedures,” a report of Cyphirma.
On execution, launch.xA performs a sophisticated extraction process, which decodes and replaces the base 64-encoded string to release the DLL file in the user’s Appdata folder, MSVCP110.DLL.
It is particularly DLL hidden. It is dynamically loaded during the runtime and calls a function, getgamedata () to apply the final stage of the payload.
Reverse engineering software is challenging due to anti-debug strategies such as isdebuggerpresent () check and control flow obfuscation.
The attack uses MITERAT & CK strategies such as DLL side-loading, sandbox theft and in-memory execution.
How to be safe
To stay safe from such attacks, users must avoid informal software, especially anything promoted as a free VPN or game mod.
Reports raise risk when running unknown programs from repository, even if they appear on iconic platforms.
Downloaded files from Github or similar platforms should never be rely really default, especially if they come as a password-protected zip archives or include unclear installation steps.
Users should never be executable from rejected sources, no matter how useful it is.
Ensure that you activate additional protection by disabled to run from folders such as Appdata, which the attackers often use to hide their payloads.
In addition, DLL files found in roaming or temporary folders should be marked for further investigation.
Watch out for strange file activity on your computer, and monitor msbuild.exe and other functions in the functioning manager or system tools that behave out of the simple to prevent initial infections.
At a technical level, use the best antivirus that provides behavioral identity instead of relying on a traditional scan, as well as those equipment as well as those equipment which include DDOS protection and closing point protection to cover a wide range of dangers including memory injections, stealth process creations and API misuse.
