Hundreds of GitHub repos served up malware for years
Kaspersky researchers have unearthed an extensive and long-running malware delivery campaign that exploited users’ propensity for downloading code from GitHub and using it without first verifying whether it’s malicious.
“Over the course of the GitVenom campaign, the threat actors behind it have created hundreds of repositories on GitHub that contain fake projects with malicious code – for example, an automation instrument for interacting with Instagram accounts, a Telegram bot allowing to manage Bitcoin wallets, and a hacking tool for the video game Valorant,” Kaspersky researchers Georgy Kucherin and João Godinho explained.
“Given that the attackers have been luring victims with these projects for several years, the infection vector is likely quite efficient. In fact, based on our telemetry, infection attempts related to GitVenom have been observed worldwide, with the highest number of them being in Russia, Brazil and Turkey.”
The lures and the malware
As noted above, the malicious repositories ostensibly offered helpful tools and games, and they were quite convincing: they contained well-designed README.md files (likely created with AI tools) and looked like they were updated regularly (they were, just not meaningfully).
The number of commits has been artificially inflated by updating a file ever few minutes (Source: Kaspersky)
The repositories contained code written in Python, JavaScript, C, C++ and C#, but the code did not actually do what the README file said it did. Instead, it contained hidden code that decrypted and executed scripts whose goal was to download and execute additional malware from an attacker-controlled GitHub repository (that has since been deleted).
The downloaded malware included a Node.js stealer, the AsyncRAT, the Quasar backdoor, and a clipboard hijacker.
That last piece of malware revealed a Bitcoin wallet controlled by the crooks behind this campaign. The public transaction history shows that one victim has unwittingly sent about 5 BTC to the attacker.
Advice for GitHub users
This is not the first time malware delivery campaigns have been spotted on GitHub and it won’t be the last.
“With more and more open-source projects being published, both state-sponsored actors and cybercriminals started using freely available code as a lure to infect their targets,” Kucherin and Godinho noted.
“For that reason, it is crucial to handle processing of third-party code very carefully. Before attempting to run such code or integrate it into an existing project, it is paramount to thoroughly check what actions it performs.”
Read more: GitHub CISO on security strategy and collaborating with the open-source community