A massive malware distribution campaign has been discovered leveraging more than 100 GitHub repositories to spread the BoryptGrab information stealer. According to Trend Micro research, the campaign targets Windows users through deceptive downloads masquerading as legitimate software tools and gaming cheats.
The Attack Chain
The threat actors behind this campaign have deployed an extensive network of public GitHub repositories that pose as free software tools, game cheats, and utilities. These malicious repositories are carefully crafted with SEO-optimized README files to ensure they rank highly in search engine results near legitimate software projects.
The infection chain begins when victims download ZIP archives from these repositories. The archives launch infection through several methods, including DLL side-loading attacks where an executable loads a malicious libcurl.dll that decrypts a hidden launcher payload.
BoryptGrab Capabilities
BoryptGrab is a C/C++ information stealer designed to harvest sensitive data including:
- Browser Data: Targets Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and Yandex browsers using techniques to bypass Chrome’s App-Bound Encryption
- Cryptocurrency Wallets: Steals from Exodus, Electrum, Ledger Live, Atomic, Binance, Wasabi, and Trezor
- System Information: Captures screenshots, system details, and uses a file grabber module
- Messaging Apps: Extracts Telegram files and Discord tokens
The malware employs anti-analysis techniques including virtual machine detection, process scanning, and privilege escalation attempts. It uses build names such as Shrek, Leon, CryptoByte, and Yaropolk to track infections across its operations.
Additional Payloads
Beyond the primary stealer, the campaign delivers several additional malicious components:
- TunnesshClient: A PyInstaller backdoor that creates reverse SSH tunnels for remote command execution
- HeaconLoad: A Golang downloader that maintains persistence through registry entries and scheduled tasks
- Vidar Variants: Additional infostealer payloads
Russian Origin Indicators
Evidence suggests the threat actors may have Russian origins, including Russian-language comments throughout the code and infrastructure, along with Russian log messages in malware samples. The attackers also employ obfuscation techniques such as XOR-encrypted strings and dynamic API resolution.
Recommendations
Organizations and individuals should:
- Verify software downloads from official sources only
- Be suspicious of GitHub repositories offering free premium software or game cheats
- Use endpoint detection and response (EDR) solutions to detect malicious DLL side-loading
- Monitor for unusual scheduled task creation and registry modifications
- Implement application whitelisting where possible
Source: Security Affairs
