heise PlusAbo
Anzeige

Malicious code in 200 GitHub repositories steals almost 500,000 euros

A malware campaign in GitHub repositories is targeting bank data and Bitcoin wallets. The malicious code is often only executed at build time.

listen Print view
File on the computer screen distributes viruses and malware

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

2 min. read
Developer
By

Security firm Kaspersky has warned of a new attack on GitHub repositories in which the attackers offer harmless fake software that steals bank details and Bitcoin wallets. The campaign, dubbed GitVenom by Kaspersky, has been active for around two years, and the 200 exposed fake repos advertise smaller tools such as an Instagram manager, Telegram remote access, a Bitcoin wallet or a crack for the game Valorant.

The descriptions in the repos and the readme file are available in several languages and, according to the Kaspersky analysts, are of good quality – presumably generated using AI. A large number of commits also stand for quality, but these probably only contain automatically generated timestamps. The languages named by the repos are Python, JavaScript, C, C++ and C#.

Videos by heise

The software that the user actually installs downloads malicious components that attempt to steal all kinds of personal data, including bank accounts or coin addresses, from the clipboard. In one of the thieves' wallet addresses, the analysts found the value of 5 Bitcoins – just under 500,000 euros. Most cases occurred in Brazil, Russia, and Turkey.

Data theft via Telegram

GitVenom contains the following malware components:

  • Stealer based on Node.js, which targets login data, wallets, and browser history.
  • Clipboard clipper that replaces wallet addresses with those of the attackers.
  • Remote access tool with keylogger: AsyncRAT.
  • Backdoor: Quasar.

The malware transmits these files to the attackers via Telegram.

(Image: Kaspersky)

The malware sends the data to the thieves as a 7Zip archive via Telegram. The malicious code is sometimes hidden in long lines of code or in Visual Studio project files that are only executed at build time if a user integrates such a project into their own.

An example of malicious code that is only executed at build time.

(Image: Kaspersky)

Time and again, repositories are misused for malicious purposes. As a protective measure, Kaspersky recommends keeping a watchful eye on the repositories: What do the contributors' accounts look like? Are the numbers and data for stars, observers, and commits plausible and do they match? What does the code in the commits look like? Users should also be careful with repos that have been distributed via chats or social media. Further information can be found in the company's blog.

(who)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten