Trend Micro researchers identified that these newer variants retrieve their configuration data through the GitHub REST API using a specific “User-Agent” string labeled “Awesome App,” allowing operators to modify ransomware behavior remotely without requiring new binary deployments. The ransomware operators have implemented a sophisticated approach to manage their operations through GitHub repositories, making it easier to update configurations and track infected systems across different operating systems. A new cross-platform threat has emerged in the ransomware landscape as researchers uncover new versions of Albabat ransomware targeting Windows, Linux, and macOS systems simultaneously. The configuration details extracted from GitHub show that Albabat collects extensive system information from victims, including hardware specifications and user details. Perhaps most concerning is the ransomware’s cross-platform functionality, with commands specifically designed for Linux and macOS systems, which displays scripts used to gather hardware and system information on these operating systems. Analysis of network traffic reveals how the ransomware connects to GitHub repositories to download crucial configuration files. The HTTP GET request used to retrieve configuration data from the billdev1 GitHub account, which hosts the malware’s operational parameters. The ransomware is programmed to avoid encrypting certain system folders and files while targeting valuable user data.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 21 Mar 2025 12:10:20 +0000