Cyber criminals are deploying a novel technique to manipulate developers using GitHub and trick them into downloading malware, according to researchers at Checkmarx, who are warning today of a potential uptick in open source supply chain attacks as a result.
In the campaign, an undisclosed threat actor was discovered manipulating GitHub’s search functionality by creating malicious repositories with popular names and topics, and using automated updates and fake stars to boost their search rankings on the platform.
According to Checkmarx research engineer Yehuda Gelb, the actor hid malicious code within the repositories, contained inside csproj. and vcxproj. files, which are important elements of Visual Studio project builds, that automatically executed when the project was built. The attacker also modified the payload based on the victim’s origin, checking specifically to see if they were located in Russia, although this ability does not appear to have been switched on yet.
The executable itself shares similarities with a malware called Keyzetsu clipper, which targets cryptocurrency wallets, and establishes persistence on infected Windows machines via the creation of a scheduled task that runs the malware daily at 4am local time, without user involvement.
“Developers should be cautious when using code from public repositories and watch for suspicious repository properties, such as high commit frequencies and stargazers with recently created accounts,” wrote Gelb.
Poisonous search
The campaign discovered by Gelb is particularly notable for its sneaky exploitation of the legitimate search features within GitHub. The threat actor clearly has advanced knowledge of search optimisation techniques and uses names and topics that are likely to be searched by users, disguising them as legitimate projects that often relate to popular games, cheats or other tools.
By exploiting GitHub Actions, they then cause the repositories to automatically update at an unusually high frequency – this is done by performing a quick modification to a log file with an updated date or time, or some other small change. This activity continuously boosts the repository’s visibility.
The attacker also amplifies the effectiveness of their malicious repository by employing multiple sockpuppet GitHub accounts to artificially boost the malicious repository’s star ratings, boosting their visibility still further, especially to instances where users filter results by ratings.
This is not a new technique at all, indeed it has been widely used in the past. However, in past incidents where attackers fiddled with star ratings, they tended to add hundreds or thousands of bogus ratings to their repos – in this instance they seem to be opting for more realism to avoid raising too many eyebrows.
Gelb also noted that many of the sockpuppet stargazers were created on the same date, a potential indicator of suspicious activity.
The malicious code itself was updated as recently as 3 April 2024 to direct to a new URL downloading a different, encrypted .7z file containing an executable called feedbackAPI.exe, so the campaign is clearly still active.
Notably, the new executable had been padded with multiple zeros in an attempt to artificially boost its file size and exceed the threshold of scanners, such as VirusTotal, which can only accept files of up to 650MB in size – feedbackAPI.exe is 750MB in size.
Gelb said there was enough evidence to reveal the campaign has successfully deceived a lot of people, and a number of the malicious repositories have been receiving complaints from users who were tricked into downloading the dodgy code.
“The use of malicious GitHub repositories to distribute malware is an ongoing trend that poses a significant threat to the open source ecosystem,” wrote Gelb. “By exploiting GitHub’s search functionality and manipulating repository properties, attackers can lure unsuspecting users into downloading and executing malicious code.”
Gelb advised GitHub users to make themselves aware of some red flags indicating a campaign of this nature might be ongoing, including repositories with an “extraordinary” number of commits relative to its age, and stargazers exhibiting sockpuppet-like behaviour.
He argued that in the aftermath of the recent attack on the XZ Utils data compression library, in which a malicious actor apparently spent years gaining the trust of the open source project maintainer and committed many useful updates prior to trying to sneak in a backdoor, it would be unwise, if not downright irresponsible, for any developer to rely on reputation as a metric when using open source code.
“A developer who blindly takes code also blindly takes responsibility for that code. These incidents highlight the necessity for manual code reviews or the use of specialised tools that perform thorough code inspections for malware. Merely checking for known vulnerabilities is insufficient,” he warned.
The full research post, including indicators of compromise (IoCs), is available from Checkmarx.