Kaspersky’s Securelist exposes the GitVenom campaign involving fake GitHub repositories to distribute malware. Targeting developers with seemingly legitimate open-source projects, GitVenom steals credentials, cryptocurrency, and more.
In modern software development, open-source code is crucial as it offers a vast library of projects for developers to avoid redundant work and accelerate project completion. However, this widespread availability has attracted malicious actors, including state-sponsored groups and cybercriminals, who exploit the model to distribute malware.
A recent campaign, dubbed GitVenom, targeting GitHub users with deceptive projects exemplifies this trend, as detailed in Kaspersky’s Securelist latest research authored by Georgy Kucherin and Joao Godinho.
GitVenom involves the creation of numerous fake repositories on GitHub, masked as legitimate projects. These repositories contain malicious code disguised within seemingly useful tools, such as Instagram automation software, a Telegram Bitcoin wallet bot, and a Valorant hacking tool.
Researchers observed that the perpetrators have invested significant effort in making these repositories appear genuine. They utilize well-crafted README.md files, potentially generated with AI assistance, providing project descriptions and compilation instructions. Furthermore, they employ tactics like adding numerous tags and artificially inflating commit counts through timestamp manipulation to enhance the illusion of authenticity.
Interestingly, the malicious code within these projects varies depending on the programming language used, which includes Python, JavaScript, C, C++, and C#. While the projects promise specific functionalities, they ultimately perform meaningless actions and harbour hidden malware.
In Python projects, for example, malicious code is concealed within lengthy lines of tab characters (around 2000), which then decrypt and execute a secondary Python script. JavaScript projects feature malicious functions invoked from the main file, while C, C++, and C# projects embed malicious batch scripts within Visual Studio project files, configured to run during the build process.
Despite the diverse implementation, the payloads share a common objective: to download additional components from a designated attacker-controlled GitHub repository. These components include a Node.js information stealer designed to harvest sensitive data like passwords, banking details, credentials, cryptocurrency wallet information, and browsing history. This data is then compressed and exfiltrated to the attackers via Telegram.
Additionally, the downloaded components often include remote administration tools like AsyncRAT and Quasar RAT, enabling attackers to seize control of compromised systems. A clipboard hijacker is also deployed, designed to replace cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses, redirecting funds to the perpetrators. One such Bitcoin wallet associated with this activity received about 5 BTC (485,000 USD) in November 2024.
The GitVenom campaign has been active for at least two years, and its effectiveness is evident in the global reach of infection attempts, with a concentration in Russia, Brazil, and Turkey. Given the popularity of code-sharing platforms like GitHub, malicious actors will continue to exploit this avenue.
Therefore, exercising caution with third-party code is crucial. Thoroughly examining the actions performed by any code before execution or integration is essential for identifying fake projects and preventing compromise.
