Sunday, May 19, 2024

Hackers Manipulate GitHub Search To Deliver Clipboard-Hijacking Malware

In a sophisticated cyberattack campaign uncovered on April 10, 2024, cybercriminals are exploiting GitHub’s search functionality to distribute a particularly insidious form of malware, known as “Keyzetsu clipper,” targeting cryptocurrency wallets.

This new wave of attacks highlights cybercriminals’ evolving tactics and raises significant concerns over the security of open-source supply chains.

The attackers have ingeniously crafted repositories with popular names and topics, employing automated updates and fake popularity metrics to manipulate GitHub’s search rankings.

Manipulate GitHub Search

This manipulation ensures their malicious repositories appear at the top of search results, deceiving unsuspecting users into downloading malware-laden code.

The Mechanics Of The Attack

The core of this attack lies in manipulating GitHub’s search functionality.

According to the Checkmarx report, attackers make it challenging for users to distinguish between benign and malicious code by creating repositories that mimic legitimate projects, often related to popular games, cheats, or tools.

These repositories are designed to appear more credible and attractive to potential victims by leveraging GitHub Actions for automatic updates, which boosts their visibility in search results.

One of this campaign’s most alarming aspects is the use of Visual Studio project files (.csproj or .vcxproj) to conceal the malicious code.

Manipulate GitHub Search

This code is crafted to automatically execute when the project is built, making detection even more challenging.

Furthermore, the attackers have prepared the malware to modify its payload based on the victim’s geographic location, although this functionality was not activated at the time of discovery.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

The Threat Of “Keyzetsu Clipper”

The malware at the heart of this campaign, dubbed “Keyzetsu clipper,” is designed to hijack the clipboard of infected Windows machines.

This allows the malware to replace cryptocurrency wallet addresses copied to the clipboard with addresses controlled by the attackers, effectively diverting cryptocurrency transactions to their wallets.

The malware establishes persistence on the infected machines, ensuring its continued operation even after rebooting the system.

This attack underscores the vulnerabilities inherent in the open-source supply chain, particularly the reliance on platforms like GitHub for code sharing and collaboration.

The clever manipulation of GitHub’s search functionality to distribute malware represents a significant escalation in the sophistication of cyberattacks targeting developers and the broader open-source community.

In response to these findings, cybersecurity experts are urging developers and users to exercise increased vigilance when downloading code from GitHub.

Recommendations include verifying the authenticity of repositories, scrutinizing project files for unusual code, and employing robust security solutions capable of detecting and neutralizing such threats.

As the cyber threat landscape continues to evolve, the discovery of this campaign serves as a stark reminder of the need for constant vigilance and proactive security measures within the open-source ecosystem.

The collaborative nature of open-source development, while one of its greatest strengths, also presents unique challenges in safeguarding against such sophisticated and deceptive attacks.

In conclusion, the manipulation of GitHub search to distribute clipboard-hijacking malware marks a significant development in cybercriminal tactics, highlighting the ongoing battle between attackers seeking to exploit digital platforms and the cybersecurity community’s efforts to protect them.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free 


    Latest articles

    Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

    Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make...

    Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

    A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

    New Linux Backdoor Attacking Linux Users Via Installation Packages

    Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

    ViperSoftX Malware Uses Deep Learning Model To Execute Commands

    ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

    Santander Data Breach: Hackers Accessed Company Database

    Santander has confirmed that there was a major data breach that affected its workers...

    U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

    The U.S. government has offered a prize of up to $5 million for information...

    Russian APT Hackers Attacking Critical Infrastructure

    Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...
    BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

    Free Webinar

    Live API Attack Simulation

    94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
    Key takeaways include:

    • An exploit of OWASP API Top 10 vulnerability
    • A brute force ATO (Account Takeover) attack on API
    • A DDoS attack on an API
    • Positive security model automation to prevent API attacks

    Related Articles