Open source developers who use Github are in the cross-hairs of advanced malware that can steal passwords, download sensitive files, take screenshots, and self-destruct when necessary.

Dimnie, as the reconnaissance and espionage trojan is known, has largely flown under the radar for the past three years. It mostly targeted Russians until early this year, when a new campaign took aim at multiple owners of Github repositories. One commenter in this thread reported the initial infection e-mail was sent to an address that was used solely for Github, and researchers with Palo Alto Networks, the firm that reported the campaign on Tuesday, told Ars they have no evidence it targeted anyone other than Github developers.

"Both messages appear to be hand-crafted, and the reference to today's data in the attachment file name IMHO, hint at a focused campaign explicitly targeting targets perceived as 'high return investments,' such as developers (possibly working on popular/open source projects)," someone who received two separate infection e-mails reported in the thread.

Extensive menu

The Palo Alto Networks researchers said Dimnie is a highly modular piece of software that gives attackers an extensive menu of capabilities that can be tailored to a specific target. Available functions include keylogging, the taking of screenshots, interacting with attached smartcards, extracting PC information, enumerating a list of processes running on an infected computer, and self-destructing. When sending data to attacker-controlled servers, Dimnie uses a variety of novel techniques to camouflage the data so the suspicious traffic won't be detected by network security products.

For example, Dimnie exfiltrates data using Web requests that appear to be sent to Google-owned domains. By using some slight-of-hand domain-lookup techniques, the information is actually sent to an address controlled by the attackers. Dimnie also appends purloined data to a fake image header and encrypts it. For extra stealth, Dimnie encrypts downloaded payloads during transit, and once they are received and decrypted on the other side, they are never written to the hard drive of the infected computer. Instead, Dimnie injects them directly into memory, a technique that was first seen used by nation-sponsored hackers and later adopted by financially motivated hackers

The campaign targeting Github users starts with e-mails that attach a booby-trapped Microsoft Word document. The file contains a malicious macro that uses PowerShell commands to download and execute the payloads. To avoid detection, the PowerShell commands are laced with extraneous characters that Windows ignores but often trick anti-malware engines into behaving as if the malicious text strings are benign.

The researchers declined to speculate who might be behind the campaign or what the motivations may be for targeting open source developers. It's not hard to come up with plausible theories why either nation-sponsored for financially motivated hackers would want to spy on this demographic. What's clear now is that someone is devoting considerable time and expertise to make that happen.