Full Report
2025-02-24 • Kaspersky Labs • Georgy Kucherin, João Godinho • win.asyncrat, win.quasar_rat Open article on Malpedia
Analysis Summary
# Tool/Technique: GitVenom Campaign
## Overview
The GitVenom campaign is an ongoing threat primarily focused on **cryptocurrency theft**. It leverages malware distributed through compromised or imposter GitHub repositories.
## Technical Details
- Type: Campaign leveraging various malware families and supply chain manipulation.
- Platform: Primarily targeting Windows systems (implied by associated malware like AsyncRAT and Quasar RAT).
- Capabilities: Initial access via compromised GitHub, delivery of remote access trojans (RATs) leading to credential theft and cryptocurrency wallet compromise.
- First Seen: Information not explicitly stated in the provided context, but the analysis is recent (February 2025 reference).
## MITRE ATT&CK Mapping
*Since the context mentions specific malware (AsyncRAT, Quasar RAT) often used in such campaigns, the mapping below reflects generalized TTPs associated with RAT delivery campaigns, though specific mapping for the entire "GitVenom" campaign relies on the details within the full article.*
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (If exploiting GitHub features/APIs)
- T1566 - Phishing (If social engineering is used to direct users to repositories)
- **TA0005 - Persistence**
- T1547 - Boot or Logon Autostarts
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Likely HTTPS/DNS used by RATs)
## Functionality
### Core Capabilities
- Distribution of malware through what appear to be legitimate or highly attractive **GitHub repositories**.
- Deployment of Remote Access Trojans (RATs) such as **AsyncRAT** and **Quasar RAT**.
- Execution of actions aimed at monetary gain, specifically **cryptocurrency theft**.
### Advanced Features
The mechanism heavily relies on the **supply chain/repository trust model**, making it difficult for security solutions to flag the initial download source if it originates from a trusted platform like GitHub. The utilization of established RATs indicates capabilities for remote system control, file exfiltration, and credential harvesting.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Implied use of executables/scripts associated with AsyncRAT/Quasar RAT payloads]
- Registry Keys: [Not provided in context]
- Network Indicators: [C2 communications associated with AsyncRAT/Quasar RAT infrastructure will be present, but specifics are not provided here (defanged)]
- Potential C2 traffic mimicking standard RAT protocols.
- Behavioral Indicators: Execution sequence involving downloading and running unauthorized remote access tools.
## Associated Threat Actors
- [Threat actor name associated with the GitVenom campaign, if known, not explicitly provided in the context snippet.] The campaign is attributed to analysis by **Kaspersky Labs**.
## Detection Methods
- Signature-based detection: Signatures for known binaries associated with **AsyncRAT** and **Quasar RAT**.
- Behavioral detection: Monitoring for unusual outbound network connections initiated by processes originating from unexpected locations (e.g., Git download directories) or communication patterns typical of RATs.
- YARA rules: Rules targeting strings or patterns common to known versions of AsyncRAT/Quasar RAT payloads.
## Mitigation Strategies
- Strict control over software execution sources, especially concerning code downloaded from non-verified repositories.
- Implementation of strong endpoint detection and response (EDR) capable of monitoring process injection and unusual network beaconing from standard user applications.
- Security awareness training emphasizing the risks associated with cloning or executing code from external or untrusted GitHub repositories.
## Related Tools/Techniques
- **AsyncRAT**: Windows Remote Access Trojan (RAT).
- **Quasar RAT**: Open-source RAT often repurposed by threat actors.
- Supply Chain Compromise via Developer Tools/Platforms (e.g., GitHub, GitLab).
- Cryptocurrency Wallet Theft Techniques.