The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread malware and steal cryptocurrency.
This campaign involves creating hundreds of fake GitHub repositories that appear legitimate but contain malicious code.
These repositories are designed to lure unsuspecting developers into downloading and executing the malicious code, which can lead to significant financial losses.
Malicious Code Deployment
The attackers behind GitVenom have crafted their fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#.
These projects often promise functionalities like automation tools for social media or cryptocurrency management but instead perform meaningless actions while hiding malicious code.
For instance, Python-based projects use a technique where a long line of tab characters is followed by code that decrypts and executes a malicious Python script.
In JavaScript projects, malicious functions are embedded to decode and execute scripts from Base64.
For C, C++, and C# projects, malicious batch scripts are hidden within Visual Studio project files to execute during the build process.
The malicious payloads deployed from these fake projects aim to download additional malicious components from an attacker-controlled GitHub repository.
These components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploads it to the attackers via Telegram, and uses tools like the open-source AsyncRAT and Quasar backdoors.
According to SecureList Report, a clipboard hijacker is also used to replace cryptocurrency wallet addresses with those controlled by the attackers, leading to significant financial theft.
Notably, one attacker-controlled Bitcoin wallet received about 5 BTC (approximately $485,000 at the time) in November 2024.
Impact and Mitigation
The GitVenom campaign has been active for several years, with infection attempts observed worldwide, particularly in Russia, Brazil, and Turkey.
This campaign highlights the risks associated with blindly running code from GitHub or other open-source platforms.
To mitigate these risks, developers must thoroughly inspect third-party code before execution or integration into their projects.
This includes checking for suspicious code patterns and ensuring that the code aligns with the described functionalities.
As the use of open-source code continues to grow, so does the potential for similar campaigns, emphasizing the need for vigilance in handling third-party code.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here