On GitHub, a malicious fork of the trustworthy macOS app Triton has emerged, using open-source repositories to spread malware This article explores malware fake repository. . The fake repository, made with the username "JaoAureliano," looked like an exact replica of Otávio C.'s original Triton app.

The fork led users to download a ZIP file that contained Windows-based malware rather than authentic software. The README file for the repository contained numerous malicious download links, making it an obvious attack vector. The malware package (Software_3.1.zip) was installed by the threat actor within an Xcode colorset directory. Even though Triton is a macOS-only program, users who downloaded this 1.33 MB archive would get executables made to compromise Windows systems.

After conversations regarding suspicious forking activity surfaced on an IRC server, security researcher Brennan was able to identify the malicious repository.

VirusTotal analysis revealed that 12 out of 66 vendors had detected the malware sample, which had the file hash 39b29c38c03868854fb972e7b18f22c2c76520cfb6edf46ba5a5618f74943eac. The GitHub account showed a number of warning signs. With only two repositories, the commit history seemed sparse, but automated scripts had been used to backdate dummy commits, creating an artificially manipulated contribution graph.

Unusual tags like "malware," "deobfuscation," and "symbolic-execution" were included in repository topics, perhaps in an effort to pass as instructional security material. At the time of discovery, the platform had not deleted the malicious account in spite of numerous reports to GitHub. Similar campaigns are still going on, and this incident is part of a larger pattern of GitHub being used to distribute malware.

Mechanism of Infection and Evasion Strategies The malware uses a multi-step execution chain, starting with the use of 7za.exe to extract the archive with the password "infected." The payload uses LuaJIT for scripting and employs evasion strategies like virtualization detection, extended sleep timers to get around sandboxes, and debug environment detection. While conducting IP discovery via ip-api.com and blockchain communications to polygon-rpc.com, network communications create command-and-control channels masquerading as Microsoft Office traffic through domains such as nexusrules.officeapps.live.com and svc.ha-teams.office.com.

The malware searches for development environments, such as installations of Java, Python, and.NET, as well as security software logs, in order to conduct system reconnaissance. To obtain configuration information and create persistence, registry keys are accessed. File operations aim to escalate privileges by targeting system directories. Before downloading files from GitHub forks, organizations should confirm the legitimacy of the repository.

When putting endpoint detection solutions into practice, security teams are advised to keep an eye out for network indicators and file hash. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.