Trojan targeting developers steals passwords, exfiltrates files, takes screenshots and can even self-destruct when it has served its purpose,Security,Open Source,Developer,Software,Hacking,Threats and Risks ,Cloud Computing,malware,open source,Palo Alto Networks,Github,Rapid7
Developers using Github, the free source-code hosting website, have been targeted by malware that can steal passwords, download files, take screenshots of sensitive information and even self-destruct afterwards – and the malware has been around since 2014.
Call the Dimnie Trojan, according to Palo Alto Networks researchers it appears to have undergone few changes since it made its debut in 2014, but has largely flown under the radar until recently because it had focused on Russian targets.
Palo Alto Networks first became aware of it in mid-January following reports that the owners of several Github repositories been targeted with phishing emails. The emails included requests for help with development projects, and offers of payment for custom programming jobs. Unlike most phishing emails, these were very specifically targeted at the interests of their recipients.
The emails had .gz (gzipped) attachments that contained Word documents with malicious macro code attached. The file uses Microsoft PowerShell commands to download and execute payloads.
Once executed, the PowerShell script reaches out to a remote server and downloads the malware program known as Dimnie.
