Hackers targeting GitHub developers with stealthy and self-destructing Dimnie Trojan

Hackers are targeting developers sharing code on GitHub with a malicious email campaign designed to infect victims with a stealth malware called Dimnie. According to security experts, the Trojan has been flying under the radar for the past three years and targeted primarily Russians. However, a fresh campaign saw the Dimnie Trojan's focus shift to targeting GitHub developers.

The malware is capable of stealing passwords, taking screenshots and even self-destructing when necessary, according to Palo Alto researchers. GitHub members began reporting attacks in late January. However, security experts claimed that the attacks began several weeks prior to users reporting issues.

The researchers claimed that the 2017 Dimnie Trojan campaign had a "global reach" and characterised it as a "marked departure from previous Dimnie targeting tactics".

Explaining how the malware has stayed active yet relatively undetected in the past, the researchers said "multiple factors" such as camouflaging upload and download traffic as "innocuous user activity" have helped it maintain a low profile.

"Dimnie has taken advantage of defenders' assumptions about what normal traffic looks like," the researchers said. "This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown."

The malware is also capable of keylogging, exfiltrating PC data and interacting with attached smartcards. Moreover, in efforts to evade detection, Dimnie uses a wide variety of innovative techniques to camouflage data when sending it to servers controlled by the attackers.

Given the malware's stealth features and its ability to mask communications behind regular network traffic, the researchers have been unable to pinpoint when this fresh and updated version of Dimnie was developed and first launched in attacks. The identity and motivation of hackers behind the latest attacks also remain unclear.

However, reports speculate that one of the reasons why the attackers may have gone after GitHub developers, many of whom likely work for various organisations, may have been to gain access to the victims' workplace computer networks. Successful intrusion into such organisations may then allow hackers to launch reconnaissance campaigns and observe the targeted organisation's networks before launching large-scale attacks.