GitHub repositories spreading hidden attacks on crypto wallets

Identifying a New Attack Vector on GitHub

Kaspersky researchers have recently discovered a new attack vector on GitHub that poses a threat to crypto wallets. This attack vector utilizes GitHub repositories to distribute malicious code targeting unsuspecting users.

The GitVenom Campaign

The investigation conducted by Kaspersky revealed a sophisticated campaign known as GitVenom. In this campaign, threat actors created numerous GitHub repositories that appeared to offer utilities for social media automation, wallet management, and gaming enhancements. Despite their legitimate facade, these repositories contained code that did not deliver the promised functionalities. Instead, they embedded instructions to install cryptographic libraries, download additional payloads, and execute hidden scripts.

Characteristics of GitVenom Repositories

• The malicious code is present in Python, JavaScript, C, C++, and C# projects.
• Python-based repositories feature a sequence of tab characters followed by commands to install cryptographic packages and run encrypted payloads.
• JavaScript projects include a function that decodes Base64-encoded scripts to initiate malicious activities.
• C, C++, and C# projects contain a hidden batch script in Visual Studio project files that activates during build time.

According to Kaspersky, each payload is designed to fetch additional components from a GitHub repository controlled by the attacker. These components include a Node.js stealer for collecting sensitive data like credentials, digital wallet information, and browsing history. The stolen data is then packaged into an archive for exfiltration via Telegram.

Notable Components of the Attack

• Remote access tools like the AsyncRAT implant and the Quasar backdoor are utilized by threat actors.
• A clipboard hijacker scans for crypto wallet addresses and replaces them with addresses controlled by attackers.

Precautions for Developers

As the GitVenom campaign has been active for several years, developers are urged to exercise caution when integrating third-party code into their projects. Kaspersky researchers emphasize the importance of reviewing GitHub repositories thoroughly before using any code from them.

Key Recommendations for Developers

• Verify the contents and activity of GitHub repositories before incorporating code into projects.
• Look out for artificially inflated commit histories and detailed README files crafted using AI.
• Check for overly verbose language, formulaic structure, and AI-generated instructions in repositories.
• Seek community engagement, reviews, and feedback from other projects using the repository to validate its authenticity.

While AI-generated content may be challenging to detect, developers should remain vigilant and thorough in their assessment of third-party code to prevent falling victim to malicious attacks.