'PyStoreRAT' Malware Campaign Targets Developers with Lures of Fake OSINT and AI Tools on GitHub

Executive Summary

A sophisticated malware campaign is targeting developers, data analysts, and OSINT researchers by distributing a new information-stealing RAT named PyStoreRAT. The malware is delivered through malicious GitHub repositories that masquerade as legitimate tools for OSINT, AI, or DeFi. Attackers employ social engineering by creating credible-looking projects, complete with artificially inflated star and fork counts, to lure victims. The malicious code is introduced in a later update. Once executed, PyStoreRAT steals sensitive information, focusing on cryptocurrency wallets, and acts as a backdoor to deliver additional malware like the Rhadamanthys infostealer. This campaign highlights the increasing trend of threat actors poisoning the open-source software supply chain to target technically proficient users.

Threat Overview

• Malware: PyStoreRAT, Rhadamanthys
• Delivery Vector: Malicious code updates in fake GitHub repositories.
• Targets: Developers, OSINT researchers, data analysts, cryptocurrency users.

This campaign leverages a clever social engineering tactic. Attackers create a GitHub repository for a seemingly useful tool. They build a false sense of trust and popularity by using bots or other means to add stars and forks. After developers or researchers clone and begin using the tool, the attackers push an update that contains the hidden PyStoreRAT payload. Users who pull the update and run the new code become infected.

Technical Analysis

Infection Chain:

1. Lure: Victim clones a seemingly popular and legitimate Python tool from GitHub.
2. Infection: Victim pulls a malicious update and executes the code.
3. Evasion: The malware uses mshta.exe to execute JavaScript, a technique to bypass some security controls. It also checks for the presence of EDR solutions from vendors like CrowdStrike and ReasonLabs.
4. Persistence: PyStoreRAT creates a scheduled task disguised as an NVIDIA update to ensure it runs automatically.
5. Payload Execution: The malware begins its primary functions as an infostealer and a backdoor.

PyStoreRAT Capabilities:

• Information Stealing: Exfiltrates files, with a focus on those related to cryptocurrency wallets.

• Backdoor/Downloader: Can download and execute secondary payloads. The Rhadamanthys infostealer has been observed as a follow-on payload, which is a powerful stealer capable of harvesting browser data, system information, and more crypto wallets.

• Propagation: Spreads to other systems via infected USB drives.

• MITRE ATT&CK Mapping:

  • T1195.001 - Compromise Software Supply Chain: The core of the campaign involves compromising the software supply chain via malicious GitHub repos.
  • T1204.002 - Malicious File: The user is tricked into executing the malicious Python script.
  • T1059.006 - Python: The initial payload is a Python script.
  • T1547.001 - Registry Run Keys / Startup Folder: The use of a scheduled task for persistence.
  • T1555 - Credentials from Password Stores/Secrets: The primary goal of stealing credentials and crypto wallets.
  • T1091 - Replication Through Removable Media: The USB propagation feature.

Impact Assessment

The impact on an infected individual can be severe, leading to the theft of cryptocurrency and other sensitive financial information. For an organization, a compromised developer machine is a critical security incident. Developers often have privileged access to source code repositories, cloud environments, and production systems. An attacker with control of a developer's machine can steal proprietary code, inject malicious code into the company's own software (a further supply chain attack), or pivot to more critical parts of the network. The USB propagation feature also creates a risk of the malware spreading rapidly within an organization's internal network.

Cyber Observables for Detection

Detection & Response

• Endpoint Detection and Response (EDR): An EDR solution is key to detecting this threat. It can monitor for suspicious process chains (e.g., python.exe -> mshta.exe), the creation of persistence mechanisms like scheduled tasks, and file access patterns indicative of information stealing. This aligns with D3FEND Process Analysis (D3-PA).
• Developer Education: Train developers to be skeptical of GitHub repositories, even those that appear popular. Teach them to inspect code before running it, especially code from less-known authors, and to be wary of projects with sudden, unexplained spikes in popularity.
• Network Monitoring: Monitor outbound network traffic from developer workstations for connections to known malicious C2 servers or unusual destinations. Use D3FEND Outbound Traffic Filtering (D3-OTF) to block such connections.

Mitigation

1. Vet Open-Source Software: Establish a policy for vetting and approving open-source libraries and tools before they are used in development. Use tools that scan for malicious code in software dependencies.
2. Principle of Least Privilege: Developer machines should not be used for daily tasks like browsing or checking personal email. Developers should not have standing administrative privileges on their local machines. Run development tools in isolated environments like containers or VMs where possible. This is an application of D3FEND Application Isolation and Sandboxing (D3-AIS).
3. Disable USB Autorun: Disable the AutoPlay/Autorun feature in Windows via Group Policy to prevent the malware from automatically spreading via USB drives.
4. Credential Protection: Encourage the use of hardware wallets for storing significant amounts of cryptocurrency, as they are largely immune to malware-based theft. Use password managers to avoid storing credentials in files on disk.