Hackers are now stealing crypto credentials on GitHub with a banking Trojan called 0 development was revealed after research by cybersecurity firm 1 outfit claimed that the Trojan uses GitHub repositories whenever its servers are taken 2 to the researchers, the Astaroth banking Trojan is a virus spread via phishing emails that invite victims to download a Windows (. lnk) 3 the victim downloads the file, it installs malware on the host 4 runs in the background of the victim’s device, using keylogging to steal banking and crypto 5 credentials are sent to the hackers through the Ngrok reverse proxy (an intermediary between servers). Hackers use Astaroth Trojan to steal crypto credentials One of the unique features is that Astaroth uses GitHub repositories to update its server configuration whenever its command-and-control server is taken 6 usually happens because of the intervention of cybersecurity firms or law enforcement agencies.
“GitHub is not used to host the malware itself, but just to host a configuration that points to the bot server,” said Abhishek Karnik, Director for Threat Research and Response at 7 explained that the malware’s deployers are using GitHub as a resource to direct victims to updated servers, which separates the exploits from previous instances in which GitHub has been 8 includes an attack vector discovered by McAfee in 2024, where the hackers inserted the Redline Stealer malware into GitHub repositories, something which has been repeated this year in the GitVenom campaign. “However, in this case, it’s not malware that is being hosted but a configuration that manages how the malware communicates with its backend infrastructure,” Karnik 9 with the GitVenom campaign, the goal of the bad actors behind Astaroth is to exfiltrate credentials that can be used to steal their victims’ digital assets or to make transfers out of their bank accounts.
“We don’t have data about how much money or crypto it has stolen, but it appears to be very prevalent, especially in Brazil,” said 10 note prevalence of malware in South America According to reports, it looks like Astaroth has been used primarily in South American countries, including Mexico, Uruguay, Panama, Colombia, Ecuador, and 11 locations where it has been used are Peru, Venezuela, Paraguay, and 12 the malware can also be used to target users in Portugal and Italy, it has been coded in such a way that it is not uploaded to systems in the United States or other countries where English is the major language, such as 13 malware is capable of shutting down its host system if it detects that analysis software is being operated, while it is designed to run keylogging functions if it detects that a web browser is visiting certain banking 14 include safra.
com. br, btgpactual. com, caixa. gov.
br, santandernet. com. br, 15 , and 16 has also been written to target crypto domains like localbitcoins. com, bitcointrade.
com. br, foxbit. com. br, etherscan.
io, and 17 the face of such threats, McAfee urged users not to open attachments or links from unknown 18 addition, it has advised them to ensure they are using up-to-date antivirus software and two-factor 19 also urged users to be vigilant, especially when carrying out activities on platforms like GitHub, where codes are shared and the platform is used by millions of developers 20 up to $30,050 in trading rewards when you join Bybit today
Story Tags
Latest news and analysis from Cryptopolitan
