Ransomware Targets Three Operating Systems at Once
Researchers from Trend Micro have discovered new versions of the Albabat ransomware, which now targets not only Windows but also Linux and macOS devices. This expansion indicates the technical evolution of the hacker group and an increase in the range of potential victims. At the same time, it has been revealed that the operators of this malware are leveraging GitHub to simplify their infrastructure.Albabat’s Evolution and Multi-Platform Targeting
The first versions of Albabat appeared in late 2023. Recently, researchers detected versions 2.0.0 and 2.5, which can now collect system and hardware information across multiple operating systems. The malware retrieves its configuration through the GitHub REST API, disguising itself as an application signed with the name “Awesome App”. This configuration file controls the ransomware's behavior and functionality.
Targeted File Encryption and System Manipulation
Albabat is designed to avoid encrypting unnecessary system files, instead focusing on files likely to contain valuable data. The malware specifically targets dozens of file extensions, including executables, configuration files, music files, and library files.
Additionally, it terminates multiple user and system processes, including browsers, office applications, and system analysis tools, to maximize encryption effectiveness.
Data Exfiltration via Supabase
Collected information is sent to a Supabase cloud server via PostgreSQL, storing details such as:
- Device specifications
- Geolocation data
- User information
- Infection status
This database allows attackers to monitor infections, manage ransom payments, and potentially resell stolen data.
GitHub as a Centralized Infrastructure Hub
A key element of Albabat’s operations is its configuration retrieval method. The malware accesses a private repository on GitHub using a closed authentication token.
- The repository "billdev1.github.io" was created in February 2024 by a user with the alias “Bill Borguiann”.
- Commit history shows active development of configuration files, particularly in August and September 2024.
- The developer's email is linked to the morke[.]org domain, which researchers believe may indicate a centralized infrastructure for the hacker group.
Within the GitHub repository, a “2.5.x” directory was found, presumably linked to an unreleased version of Albabat. This folder contains an updated configuration file featuring new cryptocurrency wallets for Bitcoin, Ethereum, Solana, and BNB. No transactions have been recorded yet, suggesting that this setup is still in the early testing phase.
GitHub as a Resilient Ransomware Platform
GitHub is being used as a centralized storage hub for critical malware components, making logistics easier and infrastructure costs lower for attackers. This decentralized approach enhances operational resilience and makes detection more challenging for security systems.
Trend Micro’s Security Recommendations
Companies should actively monitor indicators of compromise (IoCs), as early threat detection significantly reduces potential damage. Recommended security measures include:
- Regular data backups
- Network segmentation
- Timely software updates
- Employee training on phishing awareness
The Future of Albabat Ransomware
The latest versions of Albabat highlight a strategic expansion into multi-platform targeting, with hackers using legitimate services like GitHub to make their operations more stealthy and durable. The growing difficulty in detecting and blocking attacks requires security teams to adopt more adaptive and proactive network monitoring strategies.
