FOCUS MODE
EXTRACT IOC
Threat Research

The GitVenom campaign: cryptocurrency theft using GitHub

SecureList
The GitVenom campaign: cryptocurrency theft using GitHub
The GitVenom campaign has emerged as a significant threat where cybercriminals create fake GitHub repositories with malicious code disguised as legitimate open-source projects. These repositories lure unsuspecting developers into executing infected code. The threat actors employ various programming languages to hide malware, which aims to steal sensitive data and perform unauthorized actions. Affected: GitHub, software developers, cryptocurrency users

Keypoints :

  • The GitVenom campaign uses fake GitHub repositories to spread malware.
  • Attackers create well-designed, yet deceptive README.md files to lure victims.
  • Malicious repositories include fake projects like Instagram automation tools and Bitcoin management bots.
  • Malware is written in multiple programming languages: Python, JavaScript, C, C++, and C#.
  • Infected Python projects contain malicious code embedded within a long line of tab characters.
  • JavaScript projects include hidden functions that decode and execute malicious scripts.
  • C, C++, and C# projects hide malware in Visual Studio project files configured to execute during build time.
  • Malicious payloads aim to download further components from an attacker-controlled repository.
  • Infection attempts have been observed globally, with noteworthy activity from Russia, Brazil, and Turkey.
  • Developers are urged to thoroughly vet third-party code before execution to prevent infections.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Utilizing GitHub repositories to deliver malicious payloads.
  • T1086 – PowerShell: Manipulating Python scripts to execute encrypted malicious commands.
  • T1203 – Exploitation for Client Execution: Trick users into executing compromised code from GitHub repositories.
  • T1070.001 – Indicator Removal on Host: Employing obfuscation techniques (like AI-generated README.md files) to obscure malicious activity.

Indicator of Compromise :

  • [URL] hxxps://github[.]com/Dipo17/battle
  • [C2 Address] 68.81[.]155
  • [Bitcoin Wallet ID] bc1qtxlz2m6r[…]yspzt
  • [MD5] 63739e000601afde38570bfb9c8ba589
  • [MD5] 3684907e595cd04bf30b27d21580a7c6

Full Story: https://securelist.com/gitvenom-campaign/115694/

Tags: PAYLOAD, TOOL, RUSSIA, IMPACT, BACKDOOR