Full Report
A hacker targets other hackers, gamers, and researchers with exploits, bots, and game cheats in source code hosted on GitHub that contain hidden backdoors to give the threat actor remote access to infected devices. [...]
Analysis Summary
# Tool/Technique: Initial Backdoor Triggered via GitHub Code Repositories
## Overview
A multi-stage infection mechanism initiated when victims download and execute (or build) compromised source code from open-source repositories (like GitHub). The repositories were deliberately backdoored, often disguised as tools targeting other hackers or gamers (e.g., game cheats, mod tools). The initial trigger leads to the execution of an infection chain involving VBS files, PowerShell, and an Electron application that ultimately downloads and deploys secondary information stealers and RATs.
## Technical Details
- Type: Technique/Initial Access Payload Chain
- Platform: Windows
- Capabilities: Initial execution, multi-stage payload delivery, system discovery, anti-AV measures, remote access capability.
- First Seen: Information not specified, related to the popularization of Sakura RAT.
## MITRE ATT&CK Mapping
* *Note: Specific primary technique is inferred based on the execution flow.*
- T1588 - Obtain Capabilities
- T1588.002 - Tool
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
## Functionality
### Core Capabilities
- **Initial Trigger:** Execution occurs upon running or building the backdoored downloaded code.
- **Execution Chain:** Involves sequential execution of VBScript, PowerShell downloading encoded content, fetching a 7zip archive from GitHub, and launching an Electron application (`SearchFilter.exe`).
- **System Profiling:** The deployed Electron app executes JavaScript payloads for system reconnaissance.
- **Defense Evasion:** Includes capabilities for deactivating Windows Defender.
### Advanced Features
- **Obfuscation:** The core logic within the Electron app (`main.js`) is heavily obfuscated.
- **Dynamic Payload Retrieval:** Fetches secondary malware (info-stealers/RATs) dynamically from remote URLs/GitHub archives post-initial execution.
## Indicators of Compromise
- File Hashes: N/A (No specific hashes provided in the context)
- File Names: `SearchFilter.exe` (The final Electron application component)
- Registry Keys: N/A
- Network Indicators: Hardcoded URLs used by PowerShell for initial download; GitHub repositories hosting the 7zip archive/payloads. (No specific network IOCs provided and must be defanged).
- Behavioral Indicators: Execution of VBScript followed by PowerShell downloading executables/archives, and launching an Electron application associated with system manipulation.
## Associated Threat Actors
The context suggests this methodology of spreading malware via compromised GitHub repos is used broadly, often targeting other hackers, gamers, and cybersecurity researchers. The mention of Sakura RAT suggests a link to actors who might distribute or use such tools, though no specific APT linking is detailed for this specific campaign's actors.
## Detection Methods
- Signature-based detection: Signatures for the secondary malware families (Lumma Stealer, AsyncRAT, Remcos).
- Behavioral detection: Monitoring for unauthorized execution chains starting from file compilation/execution that involve VBScript -> PowerShell -> downloading archives -> execution of an Electron app with anti-AV behavior.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Strict source verification for all software, especially pre-compiled or buildable projects sourced from public repositories like GitHub.
- Hardening recommendations: Implement strict application control policies to restrict the execution of unsigned scripts and binaries, particularly those launched via unconventional means (e.g., Electron apps performing system integrity checks). Disable or strictly limit PowerShell execution when possible.
## Related Tools/Techniques
- **Secondary Payloads Deployed:**
- Lumma Stealer (Info-stealer)
- AsyncRAT (Remote Access Trojan)
- Remcos (Remote Access Trojan)
- The tool appears to leverage code meant for distributing or hiding **Sakura RAT** precursors, as the initial description references interest sparked by Sakura RAT media coverage.