The GitVenom Campaign: Cryptocurrency Theft Using GitHub
Summary:
Researchers at Securelist have uncovered details of a malware campaign, dubbed "GitVenom," which has been distributing malicious code through fraudulent repositories on GitHub to target developers seeking tools for automation, cryptocurrency, and gaming hacks. The campaign uses advanced social engineering tactics to disguise harmful payloads as legitimate projects, infecting systems worldwide with cryptocurrency stealers and remote access trojans. In this case, actors have created hundreds of fake repositories offering Instagram bots, Bitcoin wallet managers, and Valorant hacking tools. These repositories have been carefully crafted, with professional README[.]md files containing installation guides, version histories, and misleading tags like "[Blockchain]" or "Steam API" to create a sense of authenticity. The repositories also feature updated timestamp files every few minutes to simulate active development.
Security Officer Comments:
The latest GitVenom campaign has been observed distributing three main types of payloads, all retrieved from an actor-controlled GitHub repository. These include a Node.js stealer that collects credentials, wallet.dat files, and browser histories, compresses them into .7z archives, and sends them via Telegram bots. Additionally, modified versions of AsyncRAT and Quasar RATs have been observed, designed to enable actors remote access to victim environments. Researchers have also observed the deployment of a clipboard hijacker that is intended to replace the cryptocurrency addresses with the attacker's Bitcoin wallet, effectively diverting funds.
Securelist notes that the fake projects have been written in several programming languages, including Python, JavaScript, C, C++, and C#. As expected, these projects fail to implement the features described in their README.md files, with their code mostly performing irrelevant actions. However, each project contains embedded malicious code, with its placement varying based on the programming language. In Python projects, for example, the attackers inserted a long line of about 2,000 tab characters in one of the project files, followed by code that decrypts and executes a hidden Python script. In JavaScript projects, the attackers embedded a malicious function within the code, which is triggered from the main project file. As for repositories with C, C++, and C# code, the attackers concealed a malicious batch script within Visual Studio project files, setting it to execute during the project build process.
Suggested Corrections:
Developers should be cautious when downloading or interacting with repositories from unknown or unverified sources, especially those offering cryptocurrency utilities or gaming hacks. It is crucial to verify the authenticity of any repository by thoroughly inspecting the code, paying close attention to irregularities such as excessive or irrelevant code, suspicious installation instructions, and unusual file structures. Developers should also use static code analysis tools to scan for malicious code and ensure proper code reviews are in place to detect any hidden threats.
Link(s):
https://securelist.com/gitvenom-campaign/115694/
Researchers at Securelist have uncovered details of a malware campaign, dubbed "GitVenom," which has been distributing malicious code through fraudulent repositories on GitHub to target developers seeking tools for automation, cryptocurrency, and gaming hacks. The campaign uses advanced social engineering tactics to disguise harmful payloads as legitimate projects, infecting systems worldwide with cryptocurrency stealers and remote access trojans. In this case, actors have created hundreds of fake repositories offering Instagram bots, Bitcoin wallet managers, and Valorant hacking tools. These repositories have been carefully crafted, with professional README[.]md files containing installation guides, version histories, and misleading tags like "[Blockchain]" or "Steam API" to create a sense of authenticity. The repositories also feature updated timestamp files every few minutes to simulate active development.
Security Officer Comments:
The latest GitVenom campaign has been observed distributing three main types of payloads, all retrieved from an actor-controlled GitHub repository. These include a Node.js stealer that collects credentials, wallet.dat files, and browser histories, compresses them into .7z archives, and sends them via Telegram bots. Additionally, modified versions of AsyncRAT and Quasar RATs have been observed, designed to enable actors remote access to victim environments. Researchers have also observed the deployment of a clipboard hijacker that is intended to replace the cryptocurrency addresses with the attacker's Bitcoin wallet, effectively diverting funds.
Securelist notes that the fake projects have been written in several programming languages, including Python, JavaScript, C, C++, and C#. As expected, these projects fail to implement the features described in their README.md files, with their code mostly performing irrelevant actions. However, each project contains embedded malicious code, with its placement varying based on the programming language. In Python projects, for example, the attackers inserted a long line of about 2,000 tab characters in one of the project files, followed by code that decrypts and executes a hidden Python script. In JavaScript projects, the attackers embedded a malicious function within the code, which is triggered from the main project file. As for repositories with C, C++, and C# code, the attackers concealed a malicious batch script within Visual Studio project files, setting it to execute during the project build process.
Suggested Corrections:
Developers should be cautious when downloading or interacting with repositories from unknown or unverified sources, especially those offering cryptocurrency utilities or gaming hacks. It is crucial to verify the authenticity of any repository by thoroughly inspecting the code, paying close attention to irregularities such as excessive or irrelevant code, suspicious installation instructions, and unusual file structures. Developers should also use static code analysis tools to scan for malicious code and ensure proper code reviews are in place to detect any hidden threats.
Link(s):
https://securelist.com/gitvenom-campaign/115694/