Supply chain attack abuses GitHub features to spread malware

Checkmarx discovered attackers manipulated GitHub's features to distribute malware and warned that the ongoing trend poses significant risks to the open source supply chain.

In a blog post Wednesday, Checkmarx security researcher Yehuda Gelb detailed a recent attack campaign where threat actors tricked developers into downloading malicious Visual Studio project files by manipulating GitHub's search functionality. The attackers leveraged GitHub Actions to automatically spotlight the malicious repositories and lured developers in by taking advantage of GitHub's star ratings, a feature implemented to promote trust among platform users.

During the attack campaign, the unidentified threat actors created GitHub repositories with alluring names and topics to augment clicks. Gelb warned developers to be cautious when using top search results because that's what attackers are counting on.

"These repositories are cleverly disguised as legitimate projects, often related to popular games, cheats, or tools, making it difficult for users to distinguish them from benign code. To ensure maximum visibility, the attackers employ a couple of clever techniques that consistently place their malicious repositories at the top of GitHub search results," Gelb wrote in the blog post.

One technique involved abuse of GitHub Actions, a continuous integration and continuous deployment workflow service. By automatically updating the malicious repositories with minor changes at a very high rate, the attackers boosted their visibility. Gelb said the technique is effective because the malicious repositories will show up in user search results filtered by "most recently updated."

The second technique allowed the attacker to create deceptively popular repositories. Popularity is based on a GitHub star rating review, and accounts that rate them are referred to as "stargazers." Developers typically "star" projects they know, trust and most commonly use. Gelb observed that the attacker abused that trust by creating "multiple fake accounts to add bogus stars" to boost the ratings of their own malicious repositories. While the technique was previously employed against GitHub instances, the threat actors in this campaign honed the technique to make it more believable.

"In contrast to past incidents where attackers were found to add hundreds or thousands of stars to their repos, it appears that in these cases, the attackers opted for a more modest number of stars, probably to avoid raising suspicious with an exaggerated number," the blog post read.

However, Checkmarx discovered that many of the stargazers employed in the campaign were created on the same date. Gelb urged users to be aware of the social engineering technique and emphasized that it's a "red flag for fake accounts."

Additionally, the threat actor used evasion techniques and maintained persistence on victims' Windows machines. "Malicious code is often hidden within the Visual Studio project files (.csproj or .vcxproj) to evade detection, automatically executing when the project is built," the blog post read.

Therefore, it requires a specialized search, which the average user is unlikely to conduct.

To establish malware persistence, attackers created scheduled tasks that runs the malicious code at 4 AM, requiring no user confirmation or interaction." The code, which is associated with the "Keyzetsu clipper" malware, was used to target cryptocurrency wallets and also maintain persistence on victims' systems. Keyzetsu is relatively new to the threat landscape, and Gelb said it's most commonly distributed through pirated software.

Based on payload activation, Gelb also observed the threat actors chose not to attack victims located in Russia. While the threat actor and attack scope remain unknown, it's clear attacks were effective when initiated.

"Evidence indicates that the attackers' campaign has successfully deceived unsuspecting users. Numerous malicious repositories have received complaints through issues and pull requests from users who experienced problems after downloading and using the code," the blog post read.

Jossef Harush Kadouri, head of software supply chain security at Checkmarx, told TechTarget Editorial it's difficult to tell the scope of the supply chain attack. "This campaign is targeting victims using SEO baits and constant pseudo updates. Based on the information we have, we can only guess the number of affected victims, as there is no trace of a successful infection," he said.

Gelb wrote that malicious GitHub repositories are "an ongoing trend that poses a significant threat to the open source ecosystem." For example, last month Checkmarx discovered a silent software supply chain attack where threat actors compromised GitHub accounts to make malicious commits to popular repositories, including Top.gg. Malicious malware was discovered in multiple Top.gg user accounts.

Gelb recommended that developers check for suspicious activity related to commit frequency and stargazers. He advised users to be aware of who is starring the repositories and when the accounts were created. Additionally, Kadouri recommended using supply chain-specific threat intelligence feeds.

Gelb emphasized how risky it is for developers to rely solely on reputation when choosing which repository to use, as malicious code could be hiding.

"These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform through code inspections for malware," the blog post read.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.