Full Report
Kaspersky researchers discovered GitVenom campaign distributing stealers and open-source backdoors via fake GitHub projects.
Analysis Summary
# Threat Actor: GitVenom Campaign Operators
## Attribution & Identity
The threat actors are associated with an active campaign dubbed "GitVenom." No specific nation-state or financially motivated group is explicitly named or attributed beyond the campaign name.
## Activity Summary
The actors are running a long-running, ongoing campaign targeting GitHub users by publishing hundreds of fake, promise-filled open-source project repositories. The repositories are designed to appear very legitimate (e.g., automation instruments, Telegram bots, hacking tools) using well-designed `README.md` files, likely AI-generated, along with artificially inflated commit counts via timestamp files. The malicious code implanted in these projects ultimately serves to deploy further components aimed at cryptocurrency theft. Several fake projects were found dating back two years, indicating a sustained operation.
## Tactics, Techniques & Procedures
- **Repository Deception:** Creating fake GitHub repositories masquerading as legitimate open-source projects.
- **Legitimacy Proliferation:** Utilizing well-designed `README.md` files and artificially inflating commit history to appear active and trusted.
- **Multi-language Payload Injection:** Implanting malicious code across projects written in Python, JavaScript, C, C++, and C#.
- **Python:** Hiding executable code after a long string of tab characters designed to install libraries (`cryptography`, `fernet`) and execute the payload.
- **JavaScript:** Embedding a malicious function that decodes and executes a script from Base64.
- **C/C++/C#:** Hiding a malicious batch script configured to execute at project build time using the `PreBuildEvent` attribute in Visual Studio project files.
- **Secondary Payload Staging:** Initial payloads download further components from an attacker-controlled GitHub repository (`hxxps://github[.]com/Dipo17/battle`).
- **Information Stealing & Exfiltration:** Deploying a Node.js stealer to collect credentials, cryptocurrency wallet data, and browsing history, subsequently packing this data into a `.7z` archive and uploading it via Telegram.
- **Backdoor Deployment:** Installing the open-source AsyncRAT and Quasar backdoor implants.
- **Cryptocurrency Hijacking:** Employing a clipboard hijacker that detects cryptocurrency wallet addresses in the clipboard and replaces them with attacker-controlled addresses.
## Targeting
- **Sectors:** Not explicitly detailed, but the nature of the theft (cryptocurrency) suggests targeting developers, crypto users, and potentially organizations interested in the fake tools offered (automation, hacking tools).
- **Geography:** Not specified.
- **Victims:** Not specifically named, though telemetry suggests the infection vector is efficient. A linked attacker Bitcoin wallet received a significant sum (approx. 5 BTC or $485,000 USD) in November 2024.
## Tools & Infrastructure
- **Malware Families Used:**
- Node.js stealer (data collection)
- AsyncRAT (Implant)
- Quasar backdoor (Implant)
- Clipboard hijacker
- **Infrastructure (C2, Domains, IPs):**
- Staging Repository: `hxxps://github[.]com/Dipo17/battle`
- C2 Server Address (for AsyncRAT/Quasar): `68.81[.]155`
## Implications
The GitVenom campaign represents a sophisticated, multi-year social engineering effort leveraging the trust inherent in open-source ecosystems (specifically GitHub). By using various programming languages and blending malicious code execution into standard development or build processes, the actors successfully compromise victims for financial gain, evidenced by significant Bitcoin transfers. The reliance on well-known tools like AsyncRAT suggests established operational security and an intent for persistent remote access.
## Mitigations
- **Source Code Vetting:** Exercise extreme caution when downloading and compiling code from public repositories, especially those promising compelling functionality.
- **Build Time Security:** Review build scripts and project files (`PreBuildEvent` attributes in Visual Studio projects) for unexpected or malicious commands before compiling external code.
- **Environment Isolation:** Perform initial builds and execution of unknown or third-party code in isolated or sandboxed environments.
- **Clipboard Monitoring:** Implement monitoring or validation steps for cryptocurrency transactions initiated via clipboard manipulation.
- **Credential Protection:** Employ robust credential management that limits the exposure of saved credentials and wallet access to untrusted processes.