Dimnie Trojan targeting open source developers publishing on Github

Trojan targeting developers steals passwords, exfiltrates files, takes screenshots and can even self-destruct when it has served its purpose

Developers using Github, the free source-code hosting website, have been targeted by malware that can steal passwords, download files, take screenshots of sensitive information and even self-destruct afterwards - and the malware has been around since 2014.

Call the Dimnie Trojan, according to Palo Alto Networks researchers it appears to have undergone few changes since it made its debut in 2014, but has largely flown under the radar until recently because it had focused on Russian targets.

Palo Alto Networks first became aware of it in mid-January following reports that the owners of several Github repositories been targeted with phishing emails. The emails included requests for help with development projects, and offers of payment for custom programming jobs. Unlike most phishing emails, these were very specifically targeted at the interests of their recipients.

The emails had .gz (gzipped) attachments that contained Word documents with malicious macro code attached. The file uses Microsoft PowerShell commands to download and execute payloads.

Once executed, the PowerShell script reaches out to a remote server and downloads the malware program known as Dimnie.

The software gives attackers a range of capabilities that it can tailor depending on its target. This includes keylogging, screenshotting, interacting with smartcards and exfiltrating data from a computer. There's also a self-destruct module that removes all files from the system drive to ensure that there is no trace of the malware if someone goes looking for it.

It goes unnoticed by Windows because of additional unnecessary characters in its code. Security software is tricked into thinking the threat is no longer an issue via a number of methods, including the ability to capture data using web requests that appear to be sent to Google-owned domains. Instead, the information is sent to an address controlled by the attackers.

Data stolen is encrypted and appended to image headers during transit. They are never written to the hard drive of the infected computer, instead Dimnie loads the code directly in to the memory.

The researchers did not suggest who could be behind the campaign or the motivation for targeting open-source developers. However, Tod Beardsley, research director at Rapid7, suggested that open-source developers were an attractive target for malware because they work on libraries and utilities that end up on millions of devices worldwide.

"It's a great reminder that developers who are publishing code, as a class, do need to stay extra vigilant when handling binaries from unknown sources," he said.

But he warned that such vigilance might be at odds with the typical helpfulness that's common to many open source communities.

"While it might be uncomfortable to be less helpful to strangers, developers need to protect their users as well as themselves from these kinds of social engineering attacks," he said.

He added that the most obvious ‘red flag' with the phishing emails was the gzipped Microsoft Word document as Microsoft Word users will rarely, if ever, use gzip as it's much more of a Linux tool used for compression.