Fake software on GitHub and SourceForge distribute Deno RAT

Key Points:

• Fake software installers and plugins impersonating popular applications are distributing the DinDoor backdoor via GitHub and SourceForge, utilizing compromised YouTube channels for promotion.
• The DinDoor RAT can execute commands, exfiltrate sensitive data from browsers and crypto wallets, and employs a peer-to-peer streaming mode to evade detection. Affected systems include Windows and macOS devices that download malicious MSI files or PowerShell scripts.
• Users should only download software from official sources, be cautious of unofficial versions, and verify digital signatures before execution.

Technical Details: The DinDoor backdoor leverages the Deno JavaScript runtime to execute commands and manage persistence through registry modifications. Attackers use MSI files and PowerShell scripts to initiate the infection chain.

MITRE ATT&CK Techniques:

• T1566 - Phishing (Initial Access)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1047 - Windows Management Instrumentation (Execution)
• T1203 - User Execution (Execution)
• T1559.001 - External Remote Services: Web Services (Command and Control)

IOCs Mentioned:

• URLs: github.com/claude-free-plugin, sourceforge.net/projects/gearup
• Domains: claudescript.top, ms-telemetry-gateway-us.com
• IPs: 23.227.196.107, 45.137.99.121