Hackers are now stealing crypto credentials on GitHub with a banking Trojan called Astaroth. The development was revealed after research by cybersecurity firm McAfee. The outfit claimed that the Trojan uses GitHub repositories whenever its servers are taken down.
According to the researchers, the Astaroth banking Trojan is a virus spread via phishing emails that invite victims to download a Windows (.lnk) file.
After the victim downloads the file, it installs malware on the host computer. Astaroth runs in the background of the victim’s device, using keylogging to steal banking and crypto credentials. Such credentials are sent to the hackers through the Ngrok reverse proxy (an intermediary between servers).
Hackers use Astaroth Trojan to steal crypto credentials
One of the unique features is that Astaroth uses GitHub repositories to update its server configuration whenever its command-and-control server is taken down. This usually happens because of the intervention of cybersecurity firms or law enforcement agencies.
“GitHub is not used to host the malware itself, but just to host a configuration that points to the bot server,” said Abhishek Karnik, Director for Threat Research and Response at McAfee.
Karnik explained that the malware’s deployers are using GitHub as a resource to direct victims to updated servers, which separates the exploits from previous instances in which GitHub has been harnessed. This includes an attack vector discovered by McAfee in 2024, where the hackers inserted the Redline Stealer malware into GitHub repositories, something which has been repeated this year in the GitVenom campaign.
“However, in this case, it’s not malware that is being hosted but a configuration that manages how the malware communicates with its backend infrastructure,” Karnik added.
As with the GitVenom campaign, the goal of the bad actors behind Astaroth is to exfiltrate credentials that can be used to steal their victims’ digital assets or to make transfers out of their bank accounts. “We don’t have data about how much money or crypto it has stolen, but it appears to be very prevalent, especially in Brazil,” said Karnik.
Researchers note prevalence of malware in South America
According to reports, it looks like Astaroth has been used primarily in South American countries, including Mexico, Uruguay, Panama, Colombia, Ecuador, and Chile. Other locations where it has been used are Peru, Venezuela, Paraguay, and Argentina.
While the malware can also be used to target users in Portugal and Italy, it has been coded in such a way that it is not uploaded to systems in the United States or other countries where English is the major language, such as England.
The malware is capable of shutting down its host system if it detects that analysis software is being operated, while it is designed to run keylogging functions if it detects that a web browser is visiting certain banking websites. These include safra.com.br, btgpactual.com, caixa.gov.br, santandernet.com.br, itau.com.br, and bancooriginal.com.br. It has also been written to target crypto domains like localbitcoins.com, bitcointrade.com.br, foxbit.com.br, etherscan.io, and metamask.io.
In the face of such threats, McAfee urged users not to open attachments or links from unknown senders. In addition, it has advised them to ensure they are using up-to-date antivirus software and two-factor authentication.
Kaspersky also urged users to be vigilant, especially when carrying out activities on platforms like GitHub, where codes are shared and the platform is used by millions of developers worldwide.
