A sophisticated malware operation known as GitVenom is leveraging hundreds of GitHub repositories to distribute info-stealers, remote access trojans (RATs), and clipboard hijackers. These malicious tools are designed to siphon off cryptocurrency and sensitive credentials from unsuspecting users.

Global Reach and Targeted Regions

According to cybersecurity firm Kaspersky, the GitVenom campaign has been active for over two years, impacting users worldwide. However, it has shown a particular focus on regions such as Russia, Brazil, and Turkey.

Deceptive Repository Tactics

The threat actors behind GitVenom have established numerous repositories on GitHub, masquerading as legitimate projects. These repositories often contain fake software tools, such as automation scripts for Instagram, Telegram bots for Bitcoin wallet management, and hacking utilities for video games like Valorant.

  • Artificial Activity: The attackers inflate the number of commits to these repositories to create an illusion of active development and enhance credibility.
  • AI-Generated Content: Detailed readme files are crafted, potentially using AI tools, to further deceive users into downloading malicious code.

Malware Embedded in GitHub Projects

Analysis by Kaspersky reveals that the malicious code within these repositories is written in diverse programming languages, including Python, JavaScript, C, C++, and C#. This variety helps the malware evade detection by specific code-review tools.

Malicious Tools Utilized

Once a victim executes the initial payload, it downloads a second-stage payload from a GitHub repository controlled by the attackers. The tools used in this campaign include:

  • Node.js Stealer: An infostealer that targets saved credentials, cryptocurrency wallet data, and browsing history, exfiltrating the information via Telegram.
  • AsyncRAT: An open-source RAT enabling remote control, keylogging, screen capturing, file manipulation, and command execution.
  • Quasar Backdoor: A RAT similar to AsyncRAT, offering extensive control over infected systems.
  • Clipboard Hijacker: Monitors clipboard activity for cryptocurrency wallet addresses and replaces them with attacker-controlled addresses to redirect funds.

Incident Highlight

In one notable incident from November 2024, the attackers successfully transferred 5 BTC, valued at approximately half a million USD, to their Bitcoin wallet.

Protective Measures Against GitVenom

While the abuse of GitHub for distributing malware is not new, the scale and persistence of GitVenom highlight the ongoing effectiveness of such tactics. Users must exercise caution by thoroughly vetting projects before downloading any files. Key precautions include:

  • Inspect Repository Contents: Carefully review the files and code within a repository.
  • Use Antivirus Tools: Scan downloaded files with reliable antivirus software.
  • Isolated Execution: Run files in a secure, isolated environment to prevent system compromise.
The link has been copied!