GitVenom Attack Campaign

The increasing reliance on open-source software in modern software development has created a fertile ground for a new breed of supply chain attacks. Threat actors are now actively exploiting the trust placed in open-source platforms like GitHub to distribute malware, targeting developers directly. One such campaign, dubbed "GitVenom," has emerged as a significant threat, utilizing deceptive techniques to lure developers into downloading and executing malicious code disguised as legitimate open-source projects. This article delves into the origins, tactics, targets, and defense strategies against the GitVenom campaign, providing security professionals with the necessary information to combat this evolving threat. Learn about what is a supply chain attack and prevention methods.

Origins & Evolution

The GitVenom campaign has been active for at least two years, according to reports, with infection attempts observed globally. While the exact origins remain unclear, the campaign's sophistication and the use of multiple programming languages suggest a well-resourced and technically capable threat actor or group. The earliest identified instances involved Python and Javascript, and over time has expanded to include C, C++, and C#. The name "GitVenom" was coined by Kaspersky, highlighting the campaign's use of GitHub and the venomous nature of the payloads delivered. The campaign's evolution is marked by its increasing sophistication in disguising malicious repositories and its expansion into multiple programming languages.

The observed shift from attacking package managers to compromising Source Code Management systems directly showcases attackers adapting their tactics. Early reports mention the use of PyPi, which later moved to the direct source code in GitHub repositories.

Tactics & Techniques

The GitVenom campaign operates by creating a network of fake GitHub repositories that mimic legitimate open-source projects. These repositories are meticulously crafted to appear authentic, employing several deceptive techniques:

* Tags: Attackers add numerous tags to the repositories to increase their discoverability through GitHub's search functionality.

* Inflated Commit History: The number of commits is artificially inflated using techniques like timestamp manipulation, creating the impression of an active and well-maintained project.

* Forking and Amplification: Some campaigns clone legitimate repositories, inject malicious code, and re-upload them with the same names as the originals. They then automatically fork these malicious repos thousands of times and promote them across the web.

The core of the GitVenom attack lies in the delivery of malicious code, which varies depending on the programming language used in the fake project:

Multi-Stage Infection: The initial malicious code acts as a downloader, fetching additional malicious components from an attacker-controlled GitHub repository (e.g., hxxps://github[.]com/Dipo17/battle). This multi-stage approach allows the attackers to update and modify the final payload without needing to change the initial lure repositories.

Payloads: The downloaded payloads typically include:

* Archive Structure: The stolen data is often structured in a specific archive format, which may contain files related to the browser, the Discord application, Telegram, system information, cryptocurrency wallets, and a screenshot.

Obfuscation and Defense Evasion: Various obfuscation techniques are employed, including batch scripts, XOR encryption, base64 encoding, and checking for sandbox environments. Also, consider exploring Virustotal online malware scanning tool.

Targets or Victimology

The primary targets of the GitVenom campaign are developers who use GitHub to find and utilize open-source code. This includes software engineers, hobbyist programmers, and potentially even security researchers. The choice of lures (e.g., game hacking tools, cryptocurrency bots) suggests an attempt to target specific developer communities. Infection attempts have been observed globally, with a higher concentration in Russia, Brazil, and Turkey. The financial motivation is evident, with one Bitcoin wallet associated with a clipboard hijacker receiving a significant amount of cryptocurrency (approximately 5 BTC). The targets are not limited to specific industries. Learn about cybersecurity in the age of the Internet of Things.

Attack Campaigns

The GitVenom campaigns have been carried on for, at least, 2 years. Here are a few campaigns examples:

1. API Documentation Lure & RevC2:

* Lure: API Documentation

* Payload: RevC2 (Backdoor)

* Attack Chain: VenomLNK -> API.png download -> AdvancedWin.ocx execution (RevC2) via regsvr32.

* C2 Communication: WebSockets, JSON format.

* Key Capabilities: Steal passwords/cookies, execute commands, take screenshots, proxy traffic.

2. Crypto Transaction Lure & Retdoor:

* Lure: Crypto Transaction Image

* Payload: Venom Loader -> Retdoor (JavaScript Backdoor)

* Attack Chain: VenomLNK -> run_bat.vbs, bat2.bat -> Crypto image download -> base.zip download (Venom Loader) -> ApplicationFrameHost.exe sideloads dxgi.dll (Venom Loader) -> hello.js execution (Retdoor).

* Persistence: merge.ps1 added to autorun registry.

* C2 Communication: HTTP POST requests.

3. Repo Confusion Attack:

* Cloning: Attackers clone popular, existing repositories.

* Infection: They inject malware loaders into the cloned repositories.

* Re-upload & Naming: They re-upload the infected repos to GitHub with identical names as the originals.

* Amplification: They automatically fork the malicious repos thousands of times and covertly promote them across the web.

* Malware: BlackCap-Grabber.

* Data Theft: The malware steals login credentials, browser passwords and cookies, and other confidential data.

* Impact: More than 100,000 repositories.

Defenses

Combating the GitVenom campaign requires a multi-faceted approach focused on developer education, code verification, and proactive security measures:

* Inspect the code: Look for red flags, such as unusually long lines of code, obfuscated scripts, embedded batch scripts, or calls to external resources.

* Verify the author: Check the author's profile and contribution history. Be wary of new or inactive accounts.

* Examine the commit history: Look for suspicious patterns, such as a single large commit or numerous commits made in a short period.

* Use code analysis tools: Employ static and dynamic code analysis tools to identify potential vulnerabilities and malicious behavior.

Indicators of Compromise (IOCs):

Conclusion

The GitVenom campaign demonstrates the increasing sophistication of software supply chain attacks targeting developers. By exploiting the trust placed in open-source platforms and employing deceptive techniques, threat actors are successfully distributing malware and compromising systems. Protecting against these attacks requires a fundamental shift in how developers approach open-source code. Vigilance, thorough code verification, and proactive security measures are essential to mitigate the risks posed by GitVenom and similar campaigns. As code-sharing platforms continue to grow, the threat of open-source malware will likely persist and evolve, making continuous education and adaptation crucial for maintaining a secure software development lifecycle. Protect your online business from DDoS attacks.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: