A new cross-platform threat has emerged in the ransomware landscape as researchers uncover new versions of Albabat ransomware targeting Windows, Linux, and macOS systems simultaneously.
The ransomware operators have implemented a sophisticated approach to manage their operations through GitHub repositories, making it easier to update configurations and track infected systems across different operating systems.
The ransomware, previously known to target only Windows systems, has expanded its capabilities significantly with versions 2.0.0 and 2.5 discovered in the wild.
.png
)
Trend Micro researchers identified that these newer variants retrieve their configuration data through the GitHub REST API using a specific “User-Agent” string labeled “Awesome App,” allowing operators to modify ransomware behavior remotely without requiring new binary deployments.
Analysis of network traffic reveals how the ransomware connects to GitHub repositories to download crucial configuration files.
.webp)
The HTTP GET request used to retrieve configuration data from the billdev1 GitHub account, which hosts the malware’s operational parameters.
The ransomware is programmed to avoid encrypting certain system folders and files while targeting valuable user data.
It also terminates numerous processes including productivity applications, browsers, and system utilities to ensure encryption proceeds without interference.
.webp)
The configuration details extracted from GitHub show that Albabat collects extensive system information from victims, including hardware specifications and user details.
.webp)
Perhaps most concerning is the ransomware’s cross-platform functionality, with commands specifically designed for Linux and macOS systems, which displays scripts used to gather hardware and system information on these operating systems.
Technical Infrastructure Behind Albabat
The GitHub repository billdev1.github.io forms the core of Albabat’s infrastructure, created in February 2024 according to the commit history.
This account shows consistent development activity with increased commits during August and September 2024, particularly between 00:00 to 04:00 UTC and 12:00 to 16:00 UTC as illustrated in Figure 9.
The latest version under development, identified as v2.5.x in the repository, includes updated configurations with new cryptocurrency wallets.
The configuration file reveals Bitcoin, Ethereum, Solana, and BNB addresses designated for ransom payments:-
"coin": {
"btc": {
"name": "B1tco1n",
"address": "bciqnv3ksiqx564u6xk9xruixeceu5zvhnp7q6myzk",
"amount": "0.0018"
},
"eth": {
"name": "Ethereum",
"address": "0x43d880e2966a062fAr350A574cr3da0d9c6c5F24",
"amount": "0.04525435"
}
}While no transactions have been detected in these wallets yet, their presence indicates the operators are preparing for a potential increase in attacks leveraging their cross-platform capabilities.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
