The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread malware and steal cryptocurrency.
This campaign involves creating hundreds of fake GitHub repositories that appear legitimate but contain malicious code.
These repositories are designed to lure unsuspecting developers into downloading and executing the malicious code, which can lead to significant financial losses.
The attackers behind GitVenom have crafted their fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#.
These projects often promise functionalities like automation tools for social media or cryptocurrency management but instead perform meaningless actions while hiding malicious code.
For instance, Python-based projects use a technique where a long line of tab characters is followed by code that decrypts and executes a malicious Python script.
In JavaScript projects, malicious functions are embedded to decode and execute scripts from Base64.
For C, C++, and C# projects, malicious batch scripts are hidden within Visual Studio project files to execute during the build process.
The malicious payloads deployed from these fake projects aim to download additional malicious components from an attacker-controlled GitHub repository.
These components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploads it to the attackers via Telegram, and uses tools like the open-source AsyncRAT and Quasar backdoors.
According to SecureList Report, a clipboard hijacker is also used to replace cryptocurrency wallet addresses with those controlled by the attackers, leading to significant financial theft.
Notably, one attacker-controlled Bitcoin wallet received about 5 BTC (approximately $485,000 at the time) in November 2024.
The GitVenom campaign has been active for several years, with infection attempts observed worldwide, particularly in Russia, Brazil, and Turkey.
This campaign highlights the risks associated with blindly running code from GitHub or other open-source platforms.
To mitigate these risks, developers must thoroughly inspect third-party code before execution or integration into their projects.
This includes checking for suspicious code patterns and ensuring that the code aligns with the described functionalities.
As the use of open-source code continues to grow, so does the potential for similar campaigns, emphasizing the need for vigilance in handling third-party code.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
In a recent escalation of cyber threats, hackers have launched a targeted campaign, identified as…
A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have…
A significant vulnerability has been discovered in the Sliver C2 server, a popular open-source cross-platform…
A significant breakthrough in bypassing Windows activation has been achieved with the introduction of TSforge,…
The AhnLab Security Intelligence Center (ASEC) has uncovered a new cyberattack campaign leveraging the LummaC2…
A malicious Android application, Finance Simplified (package: com.someca.count), has been identified on the Google Play…