A concerning cybersecurity threat has emerged with the discovery of AI-generated fake GitHub repositories designed to distribute malware, including the notorious SmartLoader and Lumma Stealer.
These malicious repositories, crafted to appear legitimate, exploit GitHub’s trusted reputation to deceive users into downloading ZIP files containing malicious code.
The campaign highlights the evolving tactics cybercriminals employ to bypass security measures, leveraging artificial intelligence to create convincing fake repository content.
Overview of the Threat
The Trend Micro Threat Hunting team has identified an ongoing campaign using fake GitHub repositories to deploy SmartLoader, which serves as a stepping stone to deliver Lumma Stealer—an advanced information stealer distributed via the Malware-as-a-Service (MaaS) model.
The lure typically includes promises of “free” or unauthorized software functionalities, enticing users to download ZIP files such as “Release.zip” or “Software.zip.” Upon execution, these files initiate the SmartLoader payload, leading to further malware deployment.
The AI-generated content in these repositories includes suspicious elements such as excessive emoji usage, unnatural phrasing, and structured content designed to mimic legitimate documentation.
The primary goal is to trick users into downloading malicious ZIP files from the Releases section of the fake repositories.
Technical Analysis
The ZIP files contain four key components:
- lua51.dll: The LUAJIT runtime interpreter.
- luajit.exe: The Lua loader executable.
- userdata.txt: An obfuscated Lua script serving as the malicious payload.
- Launcher.bat: A batch file that executes luajit.exe with userdata.txt as an argument.
While the DLL and executable files themselves are not malicious, the Lua script within userdata.txt is responsible for compromising the victim’s system.
The script connects to a command-and-control (C&C) server to receive and execute tasks, such as collecting system information, evading security software, and downloading additional payloads.
Example Code Snippet
The batch file (Launcher.bat) typically contains a command line similar to the following, which executes the malicious Lua script:
luajit.exe userdata.txtThis execution chain allows the SmartLoader to further deploy Lumma Stealer and other malware payloads. For instance, Lumma Stealer can execute a command like this in the %TEMP% folder:
cmd /c copy /bc..\Entertaining.xls + ..\Divide.xls + ..\Providence.xls + ..\Shakespeare.xls + ..\Adolescent.xls + ..\Divided.xls + ..\Unnecessary.xls + ..\Karma.xlsThis command concatenates multiple Excel files to create a single executable file that facilitates malicious activities.
Impact and Mitigation
The use of AI-driven tactics to create convincing fake repositories underscores the growing sophistication of cyber threats.
These attacks can result in the theft of sensitive information, including login credentials, financial data, and personal identifiable information (PII), leading to severe financial and personal consequences.
Moreover, the stolen data can be sold to other cybercriminals, amplifying the risks for victims.
To defend against such threats, cybersecurity experts recommend the following best practices:
- Download software only from official sources: Avoid third-party sites, torrents, and unverified repositories.
- Verify repository authenticity: Look for legitimate contributors and check for suspicious documentation.
- Enable security features: Use endpoint security solutions that detect and block malicious downloads.
- Analyze files before execution: Use sandboxing tools to scan unknown files before running them.
- Implement network security controls: Block known malicious repositories and restrict downloads from unverified sources.
- Monitor for abnormal activity: Use security tools to detect unauthorized script executions and unusual outbound connections.
As cybercriminals continue to adapt their strategies, a proactive and robust cybersecurity approach is essential to mitigate these evolving threats.
By implementing these measures, individuals and organizations can significantly reduce the risk of falling victim to AI-generated fake GitHub repositories and associated malware attacks.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
