Open source GitHub users have recently been the target of fake recruitment email campaigns aiming to infect them with a 3-year-old malware. According to the cyber-security researchers of Palo Alto Networks, the firm in charge of investigating the incidents, a series of advanced attacks were targeting developers exclusively with GitHub accounts. Once downloaded, the malware continues to steal passwords, take screenshots, download files of a sensitive nature, and then it self-destructs.

Modus operandi of the attacks

The attached Dimnie Trojan being used in these bogus recruitment campaigns was previously used to target Russians, but earlier this year the campaign became more focused at developers.

The messages looked real as if real people handwrote them. The catch is always “a new job” that requires the developer to download a file attachment to learn more about the offer. Palo Alto has looked into the samples to figure out how Dimnie worked. The malware family first functions as a "downloader." Its modular design allows it to perform various information-stealing functionalities.

Dimnie’s camouflaging capabilities have allowed it to fly low under the radar. It blends in and tries to look legitimate using new tactics, keeping the malware unknown and undetected by security software. Even Windows is ignoring the PowerShell command that comes with the download. Compared to the previous version of Dimnie, this new one has numerous new modules to disguise malicious traffic under fake domains owned by the attacker.

It also executes commands directly in the operating system’s memory, leaving no trace on disks.

Dimnie, the espionage trojan

The main purpose of the modules is for information and reconnaissance or gathering information on vulnerabilities. The Palo Alto Networks said in a blog post, “By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like.” They did not come up with speculations on the motives behind the recent attacks targeting open source developers, but the familiar memory injection technique has previously been used in nation-state-sponsored hacking and by financially motivated hackers.