New Technique Detected in an Open Source Supply Chain Attack
New Technique Detected in an Open Source Supply Chain Attack
checkmarx.com New Technique Detected in an Open Source Supply Chain Attack
In a recent attack campaign, cybercriminals were discovered cleverly manipulating GitHub's search functionality, and using meticulously crafted repositories to distribute malware.
1 comments
Key Points
GitHub search manipulation: Attackers create malicious repositories with popular names and topics, using techniques like automated updates and fake stars to boost search rankings and deceive users. Malicious code is often hidden within Visual Studio project files (.csproj or .vcxproj) to evade detection, automatically executing when the project is built. The attacker had set up the stage to modify the payload based on the victim's origin, checking specifically if the victim is based in Russia. At this point, we don't see this ability activated. The recent malware campaign involves a large, padded executable file that shares similarities with the "Keyzetsu clipper" malware, targeting cryptocurrency wallets. The malware establishes persistence on infected Windows machines by creating a scheduled task that runs the malicious executable daily at 4AM without user confirmation. Developers should be cautious when using code from public repositories and watch for suspicious repository properties, such as high commit frequencies and stargazers with recently created accounts.edit: formatting